Updates needed to fully support the CIS AWS Foundations Benchmark v2.0.0

aaronlippold commented 10 months ago

Description

General updates, fixes and new resources to the resource pack to support the cis-aws-foundations-v2 benchmark.

[x] Add a resource for the aws-iam-credential-report endpoint
- [ ] Resolve run time challenge to avoid blocking other code exec while waiting on report generation
- [ ] refactor away from FT and use https://github.com/inspec/inspec-aws/blob/main/libraries/aws_iam_access_key.rb as reference
- [ ] Document resource
- [ ] Add tests for resource
[x] Add a resources for the aws-accounts-endpoint (primary, billing, security and operations)
- [x] create individual resources for each type
- [x] refactor away from FT and use https://github.com/inspec/inspec-aws/blob/main/libraries/aws_iam_access_key.rb as reference
- [x] Document resources

[ ] Add Resource For AWS Macie2 (Related https://github.com/inspec/train-aws/pull/519)
- [x] Add library to train-aws (Related https://github.com/inspec/train-aws/pull/519)
- [ ] Add documentation and aliases for matchers
[x] Updates to aws_s3_bucket
- [x] Add prevent_public_access_by_account? using current aws-sdk-s3control v 1.77 working gem (Related https://github.com/inspec/train-aws/pull/519)
- [x] added missing docs on prevent_public_access
- [x] added alias of prevent_public_access as preventing_public_access_via_bucket for readability.
- [x] added alias of prevent_public_access_by_account as preventing_public_access_by_account for readability.
- [x] removed redudent call to catch_aws_errors to API call given we are handling the exceptions in the matcher.
- [ ] Correct errors in the iam_policy documentation
- [ ] Fix docs/example for IAM Users (it's currently the one from IAM User)
- [ ] Fix the resource_id and to_s functions for cloud watch log metric filter so that it handles the case when there are no metric filters
- [ ] Fix iam_access_keys

Current Resource Pack Errors

Likely mishandled exceptions missing from aws_backend and or catch_aws_errors

[ ] if possible, address / resolve the following warnings
- [2023-11-14T11:23:01-05:00] WARN: AWS Service Error encountered running a control with Resource aws_iam_users. Error message: Login Profile for User emailoctopus cannot be found.. You should address this error to ensure your controls are behaving as expected.
- [2023-11-14T11:23:02-05:00] WARN: AWS Service Error encountered running a control with Resource aws_iam_users. Error message: Login Profile for User inspec_aws cannot be found.. You should address this error to ensure your controls are behaving as expected.
- [2023-11-14T11:23:02-05:00] WARN: AWS Service Error encountered running a control with Resource aws_iam_users. Error message: Login Profile for User ses-smtp-user.20191012-150745 cannot be found.. You should address this error to ensure your controls are behaving as expected.
- [2023-11-14T11:23:29-05:00] WARN: AWS IAM Credential Report still being generated - attempt 1/5.
- [2023-11-14T11:25:12-05:00] WARN: No contact of the inputted alternate contact type found.
- [2023-11-14T11:25:12-05:00] WARN: AWS Service Error encountered running a control with Resource aws_iam_password_policy. Error message: The Password Policy with domain name 916481805664 cannot be found.. You should address this error to ensure your controls are behaving as expected.
- [2023-11-14T11:25:12-05:00] WARN: AWS Service Error encountered running a control with Resource aws_iam_password_policy. Error message: The Password Policy with domain name 916481805664 cannot be found.. You should address this error to ensure your controls are behaving as expected.

Check List

Please fill box or appropriate ([x]) or mark N/A.

[x] New functionality includes integration tests/controls
[ ] New Terraform resources
[ ] Documentation provided or updated for resources
[ ] All Integration Tests pass
[ ] All Unit Tests pass
[ ] rake lint passes
[x] All commits have been signed-off for the Developer Certificate of Origin. See https://github.com/chef/chef/blob/master/CONTRIBUTING.md#developer-certification-of-origin-dco

netlify[bot] commented 10 months ago

Deploy Preview for inspec-aws canceled.

Name	Link
Latest commit	0c0280cab388c69d2e332abed8818741d471cdf2
Latest deploy log	https://app.netlify.com/sites/inspec-aws/deploys/65a1481fe449f900080b7e8a

wdower commented 10 months ago

Additional resources needed:

[ ] aws_s3_public_access_block for AWS CIS Benchmark 2.1.4.

The benchmark describes using the aws s3api get-public-access-block command, which can target EITHER the account's overall settings, OR a particular s3 bucket. The resource will also need to be able to do both.

[x] Resource aws_rds_instances (see 2.3.1) isn't a real plural resource with a filtertable. It can still be used, but we can't use any neat filtertable tricks with it (.where filters etc.) EDIT: I was wrong, it is plural already
[x] Resource aws_cloudtrail_trail and aws_cloudtrail_trails need help. The CIS Benchmark wants to know if Cloudtrail is logging S3 access. That requires getting data on "event selectors." Not only does the InSpec resource not give us that in the filtertable but the underlying API call to AWS to get data on Cloudtrail does not return this. We'll need to find the AWS Ruby SDK equivalent of the command in the benchmark check text and add that client to the Cloudtrail resources.

aaronlippold commented 8 months ago

This needs to be cleaned up and documented so we can make a PR to chef to get it off our plate

@wdower

inspec / inspec-aws