search

cloud-custodian / cloud-custodian

Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources
https://cloudcustodian.io
Apache License 2.0
5.3k stars 1.46k forks source link

Crypto aws:kms finding AES256 encrypted buckets #9543

Open andrewhibbert opened 1 month ago

andrewhibbert commented 1 month ago

Describe the bug

With the following policy:

  - name: audit-s3-bucket-key-not-enabled
    resource: s3
    mode:
      type: periodic
      schedule: "rate(1 day)"
      role: <arn>
    filters:
      - type: bucket-encryption
        crypto: aws:kms
        state: True
        bucket_key_enabled: False

I am seeing AES256 encrupted buckets

What did you expect to happen?

Not to see AES256 encrypted buckets

Cloud Provider

Amazon Web Services (AWS)

Cloud Custodian version and dependency information

-> $ custodian version --debug

Please copy/paste the following info along with any bug reports:

Custodian:   0.9.36
Python:      3.9.1 (default, Mar 10 2021, 19:11:23)
             [Clang 12.0.0 (clang-1200.0.32.28)]
Platform:    posix.uname_result(sysname='Darwin', nodename='ELSLAPM-404211', release='21.6.0', version='Darwin Kernel Version 21.6.0: Wed Aug 10 14:25:27 PDT 2022; root:xnu-8020.141.5~2/RELEASE_X86_64', machine='x86_64')
Using venv:  True
Docker: False
Installed:

argcomplete==3.3.0
attrs==23.2.0
boto3==1.34.92
botocore==1.34.92
docutils==0.18.1
importlib-metadata==6.11.0
jmespath==1.0.1
jsonschema==4.21.1
jsonschema-specifications==2023.12.1
python-dateutil==2.9.0.post0
pyyaml==6.0.1
referencing==0.31.1
rpds-py==0.18.0
s3transfer==0.10.1
six==1.16.0
tabulate==0.9.0
urllib3==1.26.18
zipp==3.18.1

Policy

- name: audit-s3-bucket-key-not-enabled
    resource: s3
    mode:
      type: periodic
      schedule: "rate(1 day)"
      role: <arn>
    filters:
      - type: bucket-encryption
        crypto: aws:kms
        state: True
        bucket_key_enabled: False

Relevant log/traceback output

No response

Extra information or context

No response

andrewhibbert commented 1 month ago

I assumed filters were ANDed but it looks to return the right information with these filters:

    filters:
      - and:
        - type: bucket-encryption
          bucket_key_enabled: False
        - type: bucket-encryption
          crypto: aws:kms
          state: True
kapilt commented 1 month ago

discussed in cncf c7n slack room https://cloud-native.slack.com/archives/C0280ENLPT7/p1717075826061559

effectively multiple attributes on this particular filter behave as "or"

at the moment the work around is to use to separate filters, I'm a little concerned about changing the implementation logic wrt to compatibility.

leaving this open as a reminder so we can add some documentation to the bucket-encryption filter docs.