feat: Added queries 3 and 4 to efs.py (#49)

* added queries 3 and 4 to efs.py * Update aws/foundational_security/snowflake/queries/efs.py Co-authored-by: Jason Kao <[email protected]> * Update aws/foundational_security/snowflake/queries/efs.py Co-authored-by: Jason Kao <[email protected]> * Update aws/foundational_security/snowflake/queries/efs.py Co-authored-by: Jason Kao <[email protected]> * typo fix --------- Co-authored-by: Jason Kao <[email protected]>
cloudquery · Aug 3, 2023 · aa25e5a · aa25e5a
1 parent 09eab30
commit aa25e5a
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 0 deletions.
diff --git a/aws/foundational_security/snowflake/queries/efs.py b/aws/foundational_security/snowflake/queries/efs.py
@@ -31,4 +31,41 @@
     else 'pass'
   end as status
 from aws_efs_filesystems
+"""
+
+ACCESS_POINT_PATH_SHOULD_NOT_BE_ROOT = """
+insert into aws_policy_results
+SELECT 
+    :1 as execution_time,
+    :2 as framework,
+    :3 as check_id,
+    'EFS access points should enforce a root directory' as title,
+    account_id,
+    arn as resource_id,
+    CASE
+        WHEN root_directory:Path::STRING = '/' THEN 'fail'
+        ELSE 'pass'
+    END as status
+FROM 
+    aws_efs_access_points
+"""
+
+ACCESS_POINT_ENFORCE_USER_IDENTITY = """
+insert into aws_policy_results
+SELECT 
+    :1 as execution_time,
+    :2 as framework,
+    :3 as check_id,
+    'EFS access points should enforce a user identity' as title,
+    account_id,
+    arn as resource_id,
+    CASE
+      WHEN posix_user IS NULL 
+        OR posix_user:uid::STRING IS NULL
+        OR posix_user:gid::STRING IS NULL
+      THEN 'fail'
+      ELSE 'pass'
+    END as status
+FROM 
+    aws_efs_access_points
 """
diff --git a/aws/foundational_security/snowflake/sections.py b/aws/foundational_security/snowflake/sections.py
@@ -163,6 +163,10 @@ def execute_efs(conn: SnowflakeConnection, execution_time: datetime.datetime):
     conn.cursor().execute(efs.UNENCRYPTED_EFS_FILESYSTEMS, (execution_time, FRAMEWORK, 'efs.1'))
     print("Executing check efs.2")
     conn.cursor().execute(efs.EFS_FILESYSTEMS_WITH_DISABLED_BACKUPS, (execution_time, FRAMEWORK, 'efs.2'))
+    print("Executing check efs.3")
+    conn.cursor().execute(efs.ACCESS_POINT_PATH_SHOULD_NOT_BE_ROOT, (execution_time, FRAMEWORK, 'efs.3'))
+    print("Executing check efs.4")
+    conn.cursor().execute(efs.ACCESS_POINT_ENFORCE_USER_IDENTITY, (execution_time, FRAMEWORK, 'efs.4'))
 
 def execute_elastic_beanstalk(conn: SnowflakeConnection, execution_time: datetime.datetime):
     print("Running section: elastic_beanstalk")