search

turbot / steampipe

Zero-ETL, infinite possibilities. Live query APIs, code & more with SQL. No DB required.
https://steampipe.io
GNU Affero General Public License v3.0
6.83k stars 262 forks source link

FALSE-Negative and False-Positive for AWS Compliance > Remove unused Secrets Manager secrets #4103

Closed the-cloud-ninja closed 7 months ago

the-cloud-ninja commented 7 months ago

Describe the bug

Mod: AWS Compliance Mod Control: 3 Remove unused Secrets Manager secrets / aws_compliance.control.foundational_security_secretsmanager_3

Issue: Return values are wrong. Secret that were retrieved today or in the last few days are marked with Alarm, however other secrets that werent received for 500 days+ are marked as OK.

Try the CLI with JQ to compare:

aws secretsmanager list-secrets --region eu-central-1 --profile YOURAWSPROFILE \ | jq .SecretList \ | jq 'map(.LastAccessedDate |= if type == "number" then strftime("%Y-%m-%d") else "<never>" end)' \ | jq 'map(select(.LastAccessedDate <= "2024-2-2" or .LastAccessedDate == "<never>"))' \ | jq -r 'map([.LastAccessedDate, .Name] | @tsv) | join("\n")'

Steampipe version (steampipe -v) Steampipe v0.21.4 aws@latest 0.129.0

To reproduce steampipe check aws_compliance.control.foundational_security_secretsmanager_3

Compare results with AWS CLI:

aws secretsmanager list-secrets --region eu-central-1 --profile YOURAWSPROFILE \ | jq .SecretList \ | jq 'map(.LastAccessedDate |= if type == "number" then strftime("%Y-%m-%d") else "<never>" end)' \ | jq 'map(select(.LastAccessedDate <= "2024-2-2" or .LastAccessedDate == "<never>"))' \ | jq -r 'map([.LastAccessedDate, .Name] | @tsv) | join("\n")'

Example FALSE POSITIVE (secret retrieved today, marked as alarm):

Secret "DockerCredentials", last used Yesterday (January 31st 2024) { "ARN": "arn:aws:secretsmanager:eu-central-1:11111111111:secret:DockerCredentials", "Name": "DockerCredentials", "LastChangedDate": 1706706820.497, "LastAccessedDate": 1706659200.0, "Tags": [ { "Key": "service", "Value": "prod - DMS" } ], "SecretVersionsToStages": { "500xxxxxxxxx": [ "AWSCURRENT" ], "650xxxxxxxxxx": [ "AWSPREVIOUS" ] }, "CreatedDate": 1706706795.483 }

Example FALSE-NEGATIVE (retrieved 666 days ago, marked as OK) Secret "user-secret", last used 666 days ago (April 6th 2022)

{ "ARN": "arn:aws:secretsmanager:eu-central-1:11111111:secret:user-secret", "Name": "user-secret", "LastChangedDate": 1633435259.956, "LastAccessedDate": 1649203200.0, "Tags": [], "SecretVersionsToStages": { "cfbxxxxxxxxxxxxx": [ "AWSCURRENT" ] }, "CreatedDate": 1633435259.913 },

Expected behavior List of all Secrets unused 90 days+

the-cloud-ninja commented 7 months ago

posted bug to aws compliance github instead