added eks queries (#50)

cloudquery · Aug 6, 2023 · 57f7cbc · 57f7cbc
1 parent ca3e777
commit 57f7cbc
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 0 deletions.
diff --git a/aws/foundational_security/snowflake/main.py b/aws/foundational_security/snowflake/main.py
@@ -39,6 +39,7 @@ def run_policy(args):
     sections.execute_ec2(conn, execution_time)
     sections.execute_ecs(conn, execution_time)
     sections.execute_efs(conn, execution_time)
+    sections.execute_eks(conn, execution_time)
     sections.execute_elastic_beanstalk(conn, execution_time)
     sections.execute_elasticsearch(conn, execution_time)
     sections.execute_emr(conn, execution_time)

diff --git a/aws/foundational_security/snowflake/queries/eks.py b/aws/foundational_security/snowflake/queries/eks.py
@@ -0,0 +1,31 @@
+CLUSTER_ENDPOINTS_NOT_PUBLICLY_ACCESSIBLE = """
+insert into aws_policy_results
+SELECT
+    :1 as execution_time,
+    :2 as framework,
+    :3 as check_id,
+    'EKS cluster endpoints should not be publicly accessible' as title,
+    account_id,
+    arn as resource_id,
+    CASE 
+        WHEN resources_vpc_config:endpointPublicAccess = 'true' THEN 'fail'
+        ELSE 'pass'
+    END as status
+FROM aws_eks_clusters
+"""
+
+CLUSTERS_SHOULD_RUN_ON_SUPPORTED_KUBERNETERS_VERSION = """
+insert into aws_policy_results
+SELECT
+    :1 as execution_time,
+    :2 as framework,
+    :3 as check_id,
+    'EKS clusters should run on a supported Kubernetes version' as title,
+    account_id,
+    arn as resource_id,
+    CASE 
+        WHEN version::float < 1.23 THEN 'fail'
+        ELSE 'pass'
+    END as status
+FROM aws_eks_clusters
+"""
diff --git a/aws/foundational_security/snowflake/sections.py b/aws/foundational_security/snowflake/sections.py
@@ -12,6 +12,7 @@
     dynamodb,ec2,
     ecs,
     efs,
+    eks,
     elastic_beanstalk,
     elasticsearch,
     elb,
@@ -168,6 +169,13 @@ def execute_efs(conn: SnowflakeConnection, execution_time: datetime.datetime):
     print("Executing check efs.4")
     conn.cursor().execute(efs.ACCESS_POINT_ENFORCE_USER_IDENTITY, (execution_time, FRAMEWORK, 'efs.4'))
 
+def execute_eks(conn: SnowflakeConnection, execution_time: datetime.datetime):
+    print("Running section: eks")
+    print("Executing check eks.1")
+    conn.cursor().execute(eks.CLUSTER_ENDPOINTS_NOT_PUBLICLY_ACCESSIBLE, (execution_time, FRAMEWORK, 'eks.1'))
+    print("Executing check eks.2")
+    conn.cursor().execute(eks.CLUSTERS_SHOULD_RUN_ON_SUPPORTED_KUBERNETERS_VERSION, (execution_time, FRAMEWORK, 'eks.2'))
+
 def execute_elastic_beanstalk(conn: SnowflakeConnection, execution_time: datetime.datetime):
     print("Running section: elastic_beanstalk")
     print("Executing check elastic_beanstalk.1")