Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws - account access-analyzer filter #6075

Merged
merged 13 commits into from
Sep 11, 2020
Merged

aws - account access-analyzer filter #6075

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
5d7ffc5
add account access-analyzer filter
Aug 26, 2020
683727b
add retry
Aug 26, 2020
1be7b13
fix exception handling and add test
Aug 26, 2020
4b936e3
make trust default to not being checked
Aug 27, 2020
a20f416
change filter to use value filter
Aug 28, 2020
557cde5
fix policy keys
Aug 28, 2020
46cae8e
fix policy again
Aug 28, 2020
5ef3e5e
need quotes
Aug 28, 2020
5aa4f3a
process analyzers one by one
Sep 8, 2020
e4f1324
rerecord placebo data
Sep 9, 2020
1e62a5a
c7n:matched-analyzers as an array
Sep 10, 2020
1c30cd9
fix bug
Sep 11, 2020
d6c6118
fix annotation cache usage, use a class var annotation key, default s…
kapilt Sep 11, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
45 changes: 45 additions & 0 deletions c7n/resources/account.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -367,6 +367,51 @@ def process(self, resources, event=None):
return []


@filters.register('access-analyzer')
class AccessAnalyzer(Filter):
"""Check for access analyzers in an account

:example:

.. code-block:: yaml

policies:
- name: account-access-analyzer
resource: account
region: us-east-1
filters:
- type: access-analyzer
status: active
trust: organization
"""

schema = type_schema('access-analyzer',
status={'oneOf': [{'enum': ['active', 'creating', 'disabled', 'failed']}]},
kapilt marked this conversation as resolved.
Show resolved Hide resolved
trust={'oneOf': [{'enum': ['account', 'organization']}]})
schema_alias = False
permissions = ('access-analyzer:ListAnalyzers',)

def process(self, resources, event=None):
account = resources[0]
status = self.data.get('status', 'active')
trust = self.data.get('trust', 'account')

client = local_session(self.manager.session_factory).client('accessanalyzer')

try:
analyzers = self.manager.retry(client.list_analyzers)['analyzers']
for analyzer in analyzers:
if analyzer['status'].lower() == status and analyzer['type'].lower() == trust:
account['c7n:AccessAnalyzer'] = analyzer
kapilt marked this conversation as resolved.
Show resolved Hide resolved
return resources
except Exception as e:
self.log.warning(
"Exception trying to list analyzers in account: %s error: %s",
self.manager.config.account_id, e)
raise e
kapilt marked this conversation as resolved.
Show resolved Hide resolved
return []


@filters.register('password-policy')
class AccountPasswordPolicy(ValueFilter):
"""Check an account's password policy.
Expand Down
15 changes: 15 additions & 0 deletions tests/data/placebo/test_account_access_analyzer_filter/access-analyzer.ListAnalyzers_1.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
{
"status_code": 200,
"data": {
"ResponseMetadata": {},
"analyzers": [
{
"arn": "arn:aws:access-analyzer:us-east-1:0123456789012:analyzer/ConsoleAnalyzer-d534345f-499c-43bd-bbcc-dd637ab352d2",
"name": "ConsoleAnalyzer-d534345f-499c-43bd-bbcc-dd637ab352d2",
"status": "ACTIVE",
"tags": {},
"type": "ACCOUNT"
}
]
}
}
10 changes: 10 additions & 0 deletions tests/data/placebo/test_account_access_analyzer_filter/iam.ListAccountAliases_1.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{
"status_code": 200,
"data": {
"AccountAliases": [
"test-account"
],
"IsTruncated": false,
"ResponseMetadata": {}
}
}
41 changes: 41 additions & 0 deletions tests/test_account.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
from dateutil import parser
import json
import mock
from unittest.mock import MagicMock
import time

from .common import functional
Expand Down Expand Up @@ -859,6 +860,46 @@ def test_enable_trail(self):
status = client.get_trail_status(Name=arn)
self.assertTrue(status["IsLogging"])

def test_account_access_analyzer_filter(self):
session_factory = self.replay_flight_data("test_account_access_analyzer_filter")
p = self.load_policy(
{
"name": "account-access-analyzer",
"resource": "account",
"filters": ["access-analyzer"],
},
session_factory=session_factory,
)
resources = p.run()
self.assertEqual(len(resources), 1)
kapilt marked this conversation as resolved.
Show resolved Hide resolved

def test_account_access_analyzer_filter_error(self):
session_factory = self.replay_flight_data("test_account_access_analyzer_filter")
client = session_factory().client("accessanalyzer")
mock_factory = MagicMock()
mock_factory.region = 'us-east-1'
mock_factory().client(
'accessanalyzer').exceptions.InternalServerException = (
client.exceptions.InternalServerException)

mock_factory().client('accessanalyzer').list_analyzers.side_effect = (
client.exceptions.InternalServerException(
{'Error': {'Code': 'InternalServerException'}},
operation_name='list_analyzers'))

p = self.load_policy(
{
"name": "account-access-analyzer",
"resource": "account",
"filters": ["access-analyzer"],
},
session_factory=mock_factory,
)
try:
p.run()
except client.exceptions.InternalServerException:
mock_factory().client('accessanalyzer').list_analyzers.assert_called_once()

def test_account_shield_filter(self):
session_factory = self.replay_flight_data("test_account_shield_advanced_filter")
p = self.load_policy(
Expand Down