Closed markusjunior closed 2 years ago
@markusjunior Appreciate using Steampipe 👍
Exciting details are provided, thank you. While checking this at our end, can you pls check your plugin configuration file aws.spc
details? I just wanted to confirm the region
settings in it
if this is configured to only 1 regions i.e. regions = ["us-east-1"], the result will be only rendered for us-east-1
The approach can be either you can specify the list of regions or make it *
to evaluate all regions in the account e.g. *regions = [""]**
Doc reference - https://hub.steampipe.io/plugins/turbot/aws#configuration
Thanks a lot Raj, that does the trick!!! Just configured the aws.spc with the required regions and it works so far. Thanks again. Issue can be closed...
Thank you! Let us know in case you come across any other issues. You can also participate in slack https://steampipe.io/community/join
Hi Raj,
one issue is left though, hopefully it is ok to bother you in this ticket.
we use shared VPCs. We do get alarms for 3.9 in AWS Accounts and their VPCs if they rely on other shared VPC CIDR.
Example: PROD Account VPC: Flow Logs enabled, Check reports OK
Workload-Whatever Account VPC (use the shared VPC cidr of PROD): Flow logs not even possible, TAB in AWS config missing at all as flow logs has to be configured in the "upper sharing" account PROD. However, the control 3.9 reports an Alarm.
@markusjunior, This is an interesting one; thanks for bringing it on. I am not sure I have an immediate answer to it without replicating it on our end. I am re-opening it to check it further and expect anybody with a quick idea to share the information. Will keep posted.
Raj, I just opened another one (AWS CIS 1.4 Control 3.9 >> issue with shared VPCs #441), I guess it is better this way
Makes sense
Describe the bug Even if there are in many other AWS regions VPCs, the scan for Control 3.9 will only detect VPCs in us-east-1
Steampipe version (
steampipe -v
) steampipe version 0.15.0Plugin version (
steampipe plugin list
) | hub.steampipe.io/plugins/turbot/aws@0.57.0 | 0.57.0| hub.steampipe.io/plugins/turbot/aws@latest | 0.68.0 | aws
steampipe-mod-aws-compliance v0.37 [2022-06-29]
To reproduce running steampipe check aws_compliance.control.cis_v140_3_9
The result contains just the us-east-1 region, even if in other regions of the same account do exist other VPCs as well. Please see the example output (Account ID and ARN removed) in the additional context section below.
Expected behavior For this particular account we do have in 5 different regions (like eu-central-1 etc) VPCs. therefore we expect that all regions are included in this scan / control.
Additional context Example output (only us-east-1 is included, even if we do have in other regions VPCs as well)
{ "group_id": "root_result_group", "title": "", "description": "", "tags": {}, "summary": { "status": { "alarm": 0, "ok": 1, "info": 0, "skip": 0, "error": 0 } }, "groups": [], "controls": [ { "summary": { "alarm": 0, "ok": 1, "info": 0, "skip": 0, "error": 0 }, "results": [ { "reason": "vpc-<> flow logging enabled.",
"resource": "arn:aws:ec2:us-east-1:<>:vpc/vpc-<>",
"status": "ok",
"dimensions": [
{
"key": "region",
"value": "us-east-1"
},
{
"key": "account_id",
"value": "<>"
}
]
}
],
"control_id": "control.cis_v140_3_9",
"description": "VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet \"Rejects\" for VPCs.",
"severity": "",
"tags": {
"category": "Compliance",
"cis": "true",
"cis_item_id": "3.9",
"cis_level": "2",
"cis_section_id": "3",
"cis_type": "automated",
"cis_version": "v1.4.0",
"plugin": "aws",
"service": "AWS/VPC"
},
"title": "3.9 Ensure VPC flow logging is enabled in all VPCs",
"run_status": 4,
"run_error": ""
}
]
}