Closed the-cloud-ninja closed 7 months ago
Describe the bug
Mod: AWS Compliance Mod Control: 3 Remove unused Secrets Manager secrets / aws_compliance.control.foundational_security_secretsmanager_3
Issue: Return values are wrong. Secret that were retrieved today or in the last few days are marked with Alarm, however other secrets that werent received for 500 days+ are marked as OK.
Try the CLI with JQ to compare:
aws secretsmanager list-secrets --region eu-central-1 --profile YOURAWSPROFILE \ | jq .SecretList \ | jq 'map(.LastAccessedDate |= if type == "number" then strftime("%Y-%m-%d") else "<never>" end)' \ | jq 'map(select(.LastAccessedDate <= "2024-2-2" or .LastAccessedDate == "<never>"))' \ | jq -r 'map([.LastAccessedDate, .Name] | @tsv) | join("\n")'
Steampipe version (steampipe -v) Steampipe v0.21.4 aws@latest 0.129.0
steampipe -v
To reproduce steampipe check aws_compliance.control.foundational_security_secretsmanager_3
steampipe check aws_compliance.control.foundational_security_secretsmanager_3
Compare results with AWS CLI:
Example FALSE POSITIVE (secret retrieved today, marked as alarm):
Secret "DockerCredentials", last used Yesterday (January 31st 2024) { "ARN": "arn:aws:secretsmanager:eu-central-1:11111111111:secret:DockerCredentials", "Name": "DockerCredentials", "LastChangedDate": 1706706820.497, "LastAccessedDate": 1706659200.0, "Tags": [ { "Key": "service", "Value": "prod - DMS" } ], "SecretVersionsToStages": { "500xxxxxxxxx": [ "AWSCURRENT" ], "650xxxxxxxxxx": [ "AWSPREVIOUS" ] }, "CreatedDate": 1706706795.483 }
{ "ARN": "arn:aws:secretsmanager:eu-central-1:11111111111:secret:DockerCredentials", "Name": "DockerCredentials", "LastChangedDate": 1706706820.497, "LastAccessedDate": 1706659200.0, "Tags": [ { "Key": "service", "Value": "prod - DMS" } ], "SecretVersionsToStages": { "500xxxxxxxxx": [ "AWSCURRENT" ], "650xxxxxxxxxx": [ "AWSPREVIOUS" ] }, "CreatedDate": 1706706795.483 }
Example FALSE-NEGATIVE (retrieved 666 days ago, marked as OK) Secret "user-secret", last used 666 days ago (April 6th 2022)
{ "ARN": "arn:aws:secretsmanager:eu-central-1:11111111:secret:user-secret", "Name": "user-secret", "LastChangedDate": 1633435259.956, "LastAccessedDate": 1649203200.0, "Tags": [], "SecretVersionsToStages": { "cfbxxxxxxxxxxxxx": [ "AWSCURRENT" ] }, "CreatedDate": 1633435259.913 },
Expected behavior List of all Secrets unused 90 days+
posted bug to aws compliance github instead
Describe the bug
Mod: AWS Compliance Mod Control: 3 Remove unused Secrets Manager secrets / aws_compliance.control.foundational_security_secretsmanager_3
Issue: Return values are wrong. Secret that were retrieved today or in the last few days are marked with Alarm, however other secrets that werent received for 500 days+ are marked as OK.
Try the CLI with JQ to compare:
aws secretsmanager list-secrets --region eu-central-1 --profile YOURAWSPROFILE \ | jq .SecretList \ | jq 'map(.LastAccessedDate |= if type == "number" then strftime("%Y-%m-%d") else "<never>" end)' \ | jq 'map(select(.LastAccessedDate <= "2024-2-2" or .LastAccessedDate == "<never>"))' \ | jq -r 'map([.LastAccessedDate, .Name] | @tsv) | join("\n")'
Steampipe version (
steampipe -v
) Steampipe v0.21.4 aws@latest 0.129.0To reproduce
steampipe check aws_compliance.control.foundational_security_secretsmanager_3
Compare results with AWS CLI:
aws secretsmanager list-secrets --region eu-central-1 --profile YOURAWSPROFILE \ | jq .SecretList \ | jq 'map(.LastAccessedDate |= if type == "number" then strftime("%Y-%m-%d") else "<never>" end)' \ | jq 'map(select(.LastAccessedDate <= "2024-2-2" or .LastAccessedDate == "<never>"))' \ | jq -r 'map([.LastAccessedDate, .Name] | @tsv) | join("\n")'
Example FALSE POSITIVE (secret retrieved today, marked as alarm):
Secret "DockerCredentials", last used Yesterday (January 31st 2024)
{ "ARN": "arn:aws:secretsmanager:eu-central-1:11111111111:secret:DockerCredentials", "Name": "DockerCredentials", "LastChangedDate": 1706706820.497, "LastAccessedDate": 1706659200.0, "Tags": [ { "Key": "service", "Value": "prod - DMS" } ], "SecretVersionsToStages": { "500xxxxxxxxx": [ "AWSCURRENT" ], "650xxxxxxxxxx": [ "AWSPREVIOUS" ] }, "CreatedDate": 1706706795.483 }
Example FALSE-NEGATIVE (retrieved 666 days ago, marked as OK) Secret "user-secret", last used 666 days ago (April 6th 2022)
{ "ARN": "arn:aws:secretsmanager:eu-central-1:11111111:secret:user-secret", "Name": "user-secret", "LastChangedDate": 1633435259.956, "LastAccessedDate": 1649203200.0, "Tags": [], "SecretVersionsToStages": { "cfbxxxxxxxxxxxxx": [ "AWSCURRENT" ] }, "CreatedDate": 1633435259.913 },
Expected behavior List of all Secrets unused 90 days+