-
Notifications
You must be signed in to change notification settings - Fork 106
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #766 from inspec/varunsharma5/aws_emr_sec_config
Added support for AWS::EMR::SecurityConfiguration.
- Loading branch information
Showing
12 changed files
with
559 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,93 @@ | ||
--- | ||
title: About the aws_emr_security_configuration Resource | ||
platform: aws | ||
--- | ||
|
||
# aws_emr_security_configuration | ||
|
||
Use the `aws_emr_security_configuration` InSpec audit resource to test properties of the singular resource of AWS EMR security configuration. | ||
|
||
## Syntax | ||
|
||
An `aws_emr_security_configuration` resource block declares the tests for a single AWS EMR security configuration by `security_configuration_name`. | ||
|
||
```ruby | ||
describe aws_emr_security_configuration(security_configuration_name: 'SECURITY_CONFIGURATION_NAME') do | ||
it { should exist } | ||
end | ||
``` | ||
|
||
```ruby | ||
describe aws_emr_security_configuration('SECURITY_CONFIGURATION_NAME') do | ||
it { should exist } | ||
end | ||
``` | ||
|
||
## Parameters | ||
|
||
`security_configuration_name` _(required)_ | ||
|
||
This resource requires a single parameter, the EMR security configuration name. | ||
This can be passed either as a string or as a `security_configuration_name: 'value'` key-value entry in a hash. | ||
|
||
See also the [AWS documentation on AWS EMR security configuration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-emr-securityconfiguration.html). | ||
|
||
## Properties | ||
|
||
|Property | Description| | ||
| --- | --- | | ||
|encryption_at_rest | Specifies whether at-rest encryption is enabled for the cluster.| | ||
|encryption_in_transit | Specifies whether in-transit encryption is enabled for the cluster.| | ||
|local_disk_encryption | Specifies whether local-disk encryption is enabled for the cluster. | | ||
|
||
## Examples | ||
|
||
### Test that an EMR security configuration has at-rest encryption enabled | ||
|
||
```ruby | ||
describe aws_emr_security_configuration('SECURITY_CONFIGURATION_NAME') do | ||
its ('encryption_at_rest') { should eq true } | ||
end | ||
``` | ||
|
||
### Test that an EMR security configuration has in-transit encryption enabled | ||
|
||
```ruby | ||
describe aws_emr_security_configuration('SECURITY_CONFIGURATION_NAME') do | ||
its ('encryption_in_transit') { should eq true } | ||
end | ||
``` | ||
|
||
### Test that an EMR security configuration has local-disk encryption enabled | ||
|
||
```ruby | ||
describe aws_emr_security_configuration('SECURITY_CONFIGURATION_NAME') do | ||
its ('local_disk_encryption') { should eq true } | ||
end | ||
``` | ||
|
||
## Matchers | ||
|
||
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/). | ||
|
||
### exist | ||
|
||
Use `should` to test the entity should exist. | ||
|
||
```ruby | ||
describe aws_emr_security_configuration('SECURITY_CONFIGURATION_NAME') do | ||
it { should exist } | ||
end | ||
``` | ||
|
||
Use `should_not` to test the entity should not exist. | ||
|
||
```ruby | ||
describe aws_emr_security_configuration('SECURITY_CONFIGURATION_NAME') do | ||
it { should_not exist } | ||
end | ||
``` | ||
|
||
## AWS Permissions | ||
|
||
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `EMR:Client:DescribeSecurityConfigurationOutput` action with `Effect` set to `Allow`. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
--- | ||
title: About the aws_emr_security_configurationss Resource | ||
platform: aws | ||
--- | ||
|
||
# aws_emr_security_configurations | ||
|
||
Use the `aws_emr_security_configurations` resource to test the properties of collection for AWS EMR security configuration. | ||
|
||
## Syntax | ||
|
||
```ruby | ||
describe aws_emr_security_configurations do | ||
it { should exist } | ||
end | ||
``` | ||
|
||
### Parameters | ||
|
||
This resource does not expect any parameters. | ||
|
||
See also the [AWS documentation on AWS EMR security configuration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-emr-securityconfiguration.html). | ||
|
||
## Properties | ||
|
||
|Property | Description|Fields | | ||
| --- | --- |---| | ||
|security_configuration_names |The name of the security configuration.|name| | ||
|encryption_at_rest | Specifies whether at-rest encryption is enabled for the cluster.|security_configuration(EncryptionConfiguration(EnableAtRestEncryption))| | ||
|encryption_in_transit | Specifies whether in-transit encryption is enabled for the cluster.|security_configuration(EncryptionConfiguration(EnableInTransitEncryption))| | ||
|local_disk_encryption | Specifies whether local-disk encryption is enabled for the cluster. |security_configuration(EncryptionConfiguration(AtRestEncryptionConfiguration(LocalDiskEncryptionConfiguration)))| | ||
|
||
## Examples | ||
|
||
#### Ensure AWS EMR security configurations exists | ||
|
||
```ruby | ||
describe aws_emr_security_configurations do | ||
it { should exist } | ||
its('encryption_at_rests') { should include encryption_at_rest } | ||
its('encryption_in_transits') { should include encryption_in_transit } | ||
its('local_disk_encryptions') { should include local_disk_encryption } | ||
end | ||
``` | ||
|
||
## Matchers | ||
|
||
For a full list of available matchers, please visit our [matchers page](https://docs.chef.io/inspec/matchers/). | ||
|
||
### exist | ||
|
||
Use `should` to test an entity that should exist. | ||
|
||
```ruby | ||
describe aws_emr_security_configurations.where(security_configuration_name: 'SECURITY_CONFIGURATION_NAME') do | ||
it { should exist } | ||
end | ||
``` | ||
|
||
Use `should_not` to test an entity that should not exist. | ||
|
||
```ruby | ||
describe aws_emr_security_configurations.where(security_configuration_name: 'INVALID_SECURITY_CONFIGURATION_NAME') do | ||
it { should_not exist } | ||
end | ||
``` | ||
|
||
## AWS Permissions | ||
|
||
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `EMR:Client:DescribeSecurityConfigurationOutput` action with `Effect` set to `Allow`. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
# frozen_string_literal: true | ||
|
||
require 'aws_backend' | ||
require 'json' | ||
|
||
class AwsEmrClusterSecurityConfiguration < AwsResourceBase | ||
name 'aws_emr_security_configuration' | ||
desc 'Verifies security configuration for an EMR cluster.' | ||
|
||
example " | ||
describe aws_emr_security_configuration('SECURITY_CONFIGURATION_NAME') do | ||
it { should exist } | ||
its('encryption_at_rest') { should eq true } | ||
its('encryption_in_transit') { should eq true } | ||
its('local_disk_encryption') { should eq true } | ||
end | ||
" | ||
|
||
attr_reader :security_configuration_name, :encryption_at_rest, :encryption_in_transit, :local_disk_encryption | ||
|
||
def initialize(opts = {}) | ||
opts = { security_configuration_name: opts } if opts.is_a?(String) | ||
super(opts) | ||
validate_parameters(required: %i(security_configuration_name)) | ||
catch_aws_errors do | ||
@security_configuration_name = opts[:security_configuration_name] | ||
|
||
resp = @aws.emr_client.describe_security_configuration({ name: @security_configuration_name }) | ||
return if resp.nil? || resp.empty? | ||
json_security_configuration = resp.security_configuration | ||
return if json_security_configuration.nil? || json_security_configuration.empty? | ||
parsed_json = JSON.parse(json_security_configuration) | ||
@encryption_at_rest = !parsed_json['EncryptionConfiguration']['EnableAtRestEncryption'].nil? && parsed_json['EncryptionConfiguration']['EnableAtRestEncryption'] | ||
@encryption_in_transit = !parsed_json['EncryptionConfiguration']['EnableInTransitEncryption'].nil? && parsed_json['EncryptionConfiguration']['EnableInTransitEncryption'] | ||
@local_disk_encryption = !parsed_json['EncryptionConfiguration']['AtRestEncryptionConfiguration'].nil? && | ||
!parsed_json['EncryptionConfiguration']['AtRestEncryptionConfiguration']['LocalDiskEncryptionConfiguration'].nil? && | ||
!parsed_json['EncryptionConfiguration']['AtRestEncryptionConfiguration']['LocalDiskEncryptionConfiguration'].empty? | ||
end | ||
end | ||
|
||
def exists? | ||
!@security_configuration_name.nil? && !@security_configuration_name.empty? | ||
end | ||
|
||
def to_s | ||
"AWS EMR Cluster Security Configuration Name: #{@security_configuration_name}" | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
# frozen_string_literal: true | ||
|
||
require 'aws_backend' | ||
require 'json' | ||
|
||
class AwsEmrClusterSecurityConfigurations < AwsResourceBase | ||
name 'aws_emr_security_configurations' | ||
desc 'Verifies collection of security configuration for an EMR cluster.' | ||
example " | ||
describe aws_emr_security_configurations do | ||
it { should exist } | ||
end | ||
" | ||
attr_reader :table | ||
|
||
FilterTable.create | ||
.register_column(:security_configuration_names, field: :security_configuration_name) | ||
.register_column(:encryption_at_rests, field: :encryption_at_rest) | ||
.register_column(:encryption_in_transits, field: :encryption_in_transit) | ||
.register_column(:local_disk_encryptions, field: :local_disk_encryption) | ||
.install_filter_methods_on_resource(self, :table) | ||
|
||
def initialize(opts = {}) | ||
super(opts) | ||
validate_parameters | ||
@table = fetch_data | ||
end | ||
|
||
def fetch_data | ||
security_configuration_rows = [] | ||
pagination_options = {} | ||
resp_security_configurations = {} | ||
catch_aws_errors do | ||
resp_security_configurations = @aws.emr_client.list_security_configurations(pagination_options) | ||
end | ||
|
||
return security_configuration_rows if !resp_security_configurations || resp_security_configurations.empty? | ||
|
||
resp_security_configurations.security_configurations.each do |s| | ||
resp_security_configuration = @aws.emr_client.describe_security_configuration({ name: s.name }) | ||
parsed_json = JSON.parse(resp_security_configuration.security_configuration) | ||
encryption_at_rest = !parsed_json['EncryptionConfiguration']['EnableAtRestEncryption'].nil? && parsed_json['EncryptionConfiguration']['EnableAtRestEncryption'] | ||
encryption_in_transit = !parsed_json['EncryptionConfiguration']['EnableInTransitEncryption'].nil? && parsed_json['EncryptionConfiguration']['EnableInTransitEncryption'] | ||
local_disk_encryption = !parsed_json['EncryptionConfiguration']['AtRestEncryptionConfiguration'].nil? && | ||
!parsed_json['EncryptionConfiguration']['AtRestEncryptionConfiguration']['LocalDiskEncryptionConfiguration'].nil? && | ||
!parsed_json['EncryptionConfiguration']['AtRestEncryptionConfiguration']['LocalDiskEncryptionConfiguration'].empty? | ||
|
||
security_configuration_rows += [{ security_configuration_name: s.name, | ||
encryption_at_rest: encryption_at_rest, | ||
encryption_in_transit: encryption_in_transit, | ||
local_disk_encryption: local_disk_encryption }] | ||
end | ||
@table = security_configuration_rows | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
26 changes: 26 additions & 0 deletions
26
test/integration/verify/controls/aws_emr_security_configuration.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
require 'json' | ||
|
||
aws_emr_security_configuration_name = attribute(:aws_emr_security_configuration_name, value: '', description: 'The Name of the EMR Security Configuration.') | ||
aws_emr_security_configuration_name.gsub!('"', '') | ||
aws_emr_security_configuration_json = attribute(:aws_emr_security_configuration_json, value: '', description: 'The JSON formatted Security Configuration.') | ||
aws_emr_security_configuration_json.gsub!('EOT', '') | ||
aws_emr_security_configuration_json.gsub!('<<', '') | ||
|
||
parsed_json = JSON.parse(aws_emr_security_configuration_json.strip) | ||
encryption_at_rest = !parsed_json['EncryptionConfiguration']['EnableAtRestEncryption'].nil? && parsed_json['EncryptionConfiguration']['EnableAtRestEncryption'] | ||
encryption_in_transit = !parsed_json['EncryptionConfiguration']['EnableInTransitEncryption'].nil? && parsed_json['EncryptionConfiguration']['EnableInTransitEncryption'] | ||
local_disk_encryption = !parsed_json['EncryptionConfiguration']['AtRestEncryptionConfiguration'].nil? && | ||
!parsed_json['EncryptionConfiguration']['AtRestEncryptionConfiguration']['LocalDiskEncryptionConfiguration'].nil? && | ||
!parsed_json['EncryptionConfiguration']['AtRestEncryptionConfiguration']['LocalDiskEncryptionConfiguration'].empty? | ||
|
||
control 'aws-emr-security-configuration-1.0' do | ||
impact 1.0 | ||
title 'Test single AWS EMR Security Configuration' | ||
|
||
describe aws_emr_security_configuration(security_configuration_name: aws_emr_security_configuration_name) do | ||
it { should exist } | ||
its('encryption_at_rest'){ should eq encryption_at_rest } | ||
its('encryption_in_transit'){ should eq encryption_in_transit } | ||
its('local_disk_encryption'){ should eq local_disk_encryption } | ||
end | ||
end |
29 changes: 29 additions & 0 deletions
29
test/integration/verify/controls/aws_emr_security_configurations.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
require 'json' | ||
|
||
aws_emr_security_configuration_name = attribute(:aws_emr_security_configuration_name, value: '', description: 'The Name of the EMR Security Configuration.') | ||
aws_emr_security_configuration_name.gsub!('"', '') | ||
aws_emr_security_configuration_json = attribute(:aws_emr_security_configuration_json, value: '', description: 'The JSON formatted Security Configuration.') | ||
aws_emr_security_configuration_json.gsub!('EOT', '') | ||
aws_emr_security_configuration_json.gsub!('<<', '') | ||
parsed_json = JSON.parse(aws_emr_security_configuration_json.strip) | ||
encryption_at_rest = !parsed_json['EncryptionConfiguration']['EnableAtRestEncryption'].nil? && parsed_json['EncryptionConfiguration']['EnableAtRestEncryption'] | ||
encryption_in_transit = !parsed_json['EncryptionConfiguration']['EnableInTransitEncryption'].nil? && parsed_json['EncryptionConfiguration']['EnableInTransitEncryption'] | ||
local_disk_encryption = !parsed_json['EncryptionConfiguration']['AtRestEncryptionConfiguration'].nil? && | ||
!parsed_json['EncryptionConfiguration']['AtRestEncryptionConfiguration']['LocalDiskEncryptionConfiguration'].nil? && | ||
!parsed_json['EncryptionConfiguration']['AtRestEncryptionConfiguration']['LocalDiskEncryptionConfiguration'].empty? | ||
|
||
control 'aws-emr-security-configurations-1.0' do | ||
impact 1.0 | ||
title 'Test AWS EMR Security Configuration in bulk' | ||
|
||
describe aws_emr_security_configurations do | ||
it { should exist } | ||
end | ||
|
||
describe aws_emr_security_configurations.where(security_configuration_name: aws_emr_security_configuration_name) do | ||
it { should exist } | ||
its('encryption_at_rests') { should include encryption_at_rest } | ||
its('encryption_in_transits') { should include encryption_in_transit } | ||
its('local_disk_encryptions') { should include local_disk_encryption } | ||
end | ||
end |
Oops, something went wrong.