/
iam.sp
195 lines (187 loc) · 5.4 KB
/
iam.sp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
query "iam_access_group_with_public_access" {
sql = <<-EOQ
with account_public_access as (
select
name,
id,
account_id,
count(*) as public_access_grp_no
from
ibm_iam_access_group
where name = 'Public Access'
group by name,id,account_id
)
select
id as resource,
case
when name is null then 'ok'
else 'alarm'
end as status,
case
when name is null then 'No public access group configured in account.'
else name || ' group configured in account.'
end as reason,
account_id
from
account_public_access;
EOQ
}
query "iam_account_owner_no_api_key" {
sql = <<-EOQ
select
acc.guid as resource,
case
when count(key.iam_id) > 0 then 'alarm'
else 'ok'
end as status,
case
when count(key.iam_id) > 0 then 'Account owner API keys exist.'
else 'No account owner API keys exist.'
end as reason,
acc.guid
from
ibm_account as acc,
ibm_iam_api_key as key
where
acc.owner_unique_id = split_part(key.iam_id, '-', 2)
group by
acc.guid;
EOQ
}
query "iam_restrict_api_key_service_id_creation" {
sql = <<-EOQ
select
account_id as resource,
case
when restrict_create_service_id = 'RESTRICTED' and restrict_create_platform_api_key = 'RESTRICTED' then 'ok'
else 'alarm'
end as status,
case
when restrict_create_service_id <> 'RESTRICTED' and restrict_create_platform_api_key <> 'RESTRICTED'
then 'Both API key and service ID creation are not restricted.'
when restrict_create_service_id <> 'RESTRICTED' and restrict_create_platform_api_key = 'RESTRICTED'
then 'API key creation restricted, but service ID creation not restricted.'
when restrict_create_service_id = 'RESTRICTED' and restrict_create_platform_api_key <> 'RESTRICTED'
then 'Service ID creation restricted, but API key creation not restricted.'
else 'Both API key and service ID creation are restricted.'
end as reason,
account_id
from
ibm_iam_account_settings;
EOQ
}
query "iam_support_center_access_group_configured" {
sql = <<-EOQ
select
id as resource,
case
when name ilike '%support%' then 'ok'
else 'skip'
end as status,
case
when name ilike '%support%' then name || ' specific to support center access group.'
else name || ' not specific to support center access group.'
end as reason,
account_id
from
ibm_iam_access_group;
EOQ
}
query "iam_user_api_key_age_90" {
sql = <<-EOQ
select
key.crn as resource,
case
when key.iam_id like 'iam-ServiceId%' then 'skip'
when key.created_at <= (current_date - interval '90' day) then 'alarm'
else 'ok'
end status,
case
when key.iam_id like 'iam-ServiceId%' then key.name || ' is a service ID API key.'
else u.user_id || ' ' || key.name || ' created ' || to_char(key.created_at , 'DD-Mon-YYYY') ||
' (' || extract(day from current_timestamp - key.created_at) || ' days).'
end as reason,
key.account_id
from
ibm_iam_api_key as key
left join ibm_iam_user as u on key.iam_id = u.iam_id;
EOQ
}
query "iam_user_member_of_only_access_group" {
sql = <<-EOQ
with associated_policy_users as(
select
user_id,
u.iam_id,
u.account_id as account_id,
roles
from
ibm_iam_user as u
left join ibm_iam_user_policy as p on u.iam_id = p.iam_id
)
select
distinct iam_id as resource,
case
when roles is null then 'ok'
else 'alarm'
end as status,
case
when roles is null then user_id || ' has no additional access policies assigned.'
else user_id || ' has additional access policies assigned.'
end as reason,
account_id
from
associated_policy_users;
EOQ
}
query "iam_user_mfa_enabled_all" {
sql = <<-EOQ
select
account_id as resource,
case
when mfa = 'NONE' then 'alarm'
else 'ok'
end as status,
case
when mfa = 'NONE' then 'MFA not enabled for all users in account.'
else 'MFA enabled for all users in account.'
end as reason,
account_id
from
ibm_iam_account_settings;
EOQ
}
query "iam_user_with_valid_email" {
sql = <<-EOQ
select
iam_id as resource,
case
when email !~ '^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+[.][A-Za-z]+$' and email is null then 'alarm'
else 'ok'
end as status,
case
when email !~ '^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+[.][A-Za-z]+$' and email is null then first_name || ' ' || last_name || ' has valid email.'
else first_name || ' ' || last_name || ' has valid email.'
end as reason,
account_id
from
ibm_iam_user;
EOQ
}
query "iam_user_with_valid_phone" {
sql = <<-EOQ
select
iam_id as resource,
case
when phonenumber is not null and alt_phonenumber != '' then 'ok'
else 'alarm'
end as status,
case
when phonenumber is not null and alt_phonenumber != '' then first_name || ' ' || last_name || ' has phone number configured.'
else first_name || ' ' || last_name || ' has no phone number configured.'
end as reason,
account_id
from
ibm_iam_user;
EOQ
}