AWS CIS 1.4 Control 3.9 >> issue with shared VPCs

[markusjunior]

Describe the bug

• We use many Accounts in many regions. Further, we use the Share VPC feature of AWS (see docs.aws.amazon.com/vpc/latest/userguide/vpc-sharing.html). That means, we use one OWNER account with a VPC and huge CIDR in Region whatever. Afterwards we share the VPC to participant AWS accounts.
• Important to know: Only in the OWNER account, VPC flow logs are possible to activate. In Participant accounts the VPC flow log does not exist at all
• the control 3.9 detects succesfully the enabled flow log in the OWNER account, however it raises an alarm for a missing flow log for the participant accounts. As mentioned, it is not even possible to configure flow logs in VPC participant accounts

Steampipe version (steampipe -v) steampipe version 0.15.0

Plugin version (steampipe plugin list) | hub.steampipe.io/plugins/turbot/aws@0.57.0 | 0.57.0 | hub.steampipe.io/plugins/turbot/aws@latest | 0.68.0 | aws steampipe-mod-aws-compliance v0.37 [2022-06-29]

To reproduce Setup two AWS Accounts: PROD and WORKLOAD

• PROD Account: Setup VPC and Enable VPC Flow Logs in PROD
• PROD Account: Share the VPC of Account PROD to Account Workload
• WORKLOAD Account: Create a VPC / use the shared VPC
• run the Control 3.9 against both accounts
• The PROD (Owner) account will detected as OK. The WORKLOAD (participant) account will raise an alarm. However it is not possible to configure flow logs in participant accounts at all

steampipe check aws_compliance.control.cis_v140_3_9

Expected behavior Please check if the VPC is using a shared VPC and is therefore a participant account. If yes, do not raise an alarm but maybe INFO instead to let the auditor check the owner account.

[rajlearner17]

Great info! as we discussed here. We will take a look

[rajlearner17]

@markusjunior FYI, we are releasing this fix in today's latest release (v0.38). Appreciate pointing this out.

[markusjunior]

wow, lightning fast! Just pulled the release and testing it now against 100+ accounts... let you know soon.

By the way, I combined your awesome work with some stuff from myself. Maybe that is interesting for you as well. Any idea where to share this approach? Just in short: 1) we run steampipe / your plugin on a EC2 2) EC2 instance has an IAM role to assume a auditor role in all other accounts and get a list of all accounts in our org 3) With a "STS wrapper" written in python we iterate over all accounts and store each report in json on the local hdd 4) the EC2 copies each report to S3 5) triggered by new files in S3, our lambda pulls each new report and process the report: --- convert all data from json to relational data (sql ready) --- each find is one record. We add further metadata to each record (costcenter info, friendly account name etc) --- we check a whitelist via dynamoDB for every NON OK finding... --- when done, we push all data via SQL to a MySQL RDS 6) We use AWS Quicksight and use the MySQL RDS data to provide fancy dashboards to our auditors

If you are interested in the details, let me know where to share the idea, maybe with more details...

cheers Markus

[rajlearner17]

Hi, I am routing this to the respective team member; we love to hear from you and continuous feedback. @judell @bob-bot

[markusjunior]

UAT looks good, works as expected! Thanks again

[bob-bot]

@markusjunior thanks for sharing more information about your use case! I would love to learn more in a discussion if you a few minutes tomorrow or early next week.

What time works best for you? My calendar link is: https://calendly.com/steampipe/30