From aa25e5a4de10e7d2758cd5ad1e501412670b14bb Mon Sep 17 00:00:00 2001 From: Jonathan Sarig <73023114+john-s58@users.noreply.github.com> Date: Thu, 3 Aug 2023 14:38:57 +0300 Subject: [PATCH] feat: Added queries 3 and 4 to efs.py (#49) * added queries 3 and 4 to efs.py * Update aws/foundational_security/snowflake/queries/efs.py Co-authored-by: Jason Kao <100613312+jsonpr@users.noreply.github.com> * Update aws/foundational_security/snowflake/queries/efs.py Co-authored-by: Jason Kao <100613312+jsonpr@users.noreply.github.com> * Update aws/foundational_security/snowflake/queries/efs.py Co-authored-by: Jason Kao <100613312+jsonpr@users.noreply.github.com> * typo fix --------- Co-authored-by: Jason Kao <100613312+jsonpr@users.noreply.github.com> --- .../snowflake/queries/efs.py | 37 +++++++++++++++++++ .../snowflake/sections.py | 4 ++ 2 files changed, 41 insertions(+) diff --git a/aws/foundational_security/snowflake/queries/efs.py b/aws/foundational_security/snowflake/queries/efs.py index 0e0aa8208..be74f21ce 100644 --- a/aws/foundational_security/snowflake/queries/efs.py +++ b/aws/foundational_security/snowflake/queries/efs.py @@ -31,4 +31,41 @@ else 'pass' end as status from aws_efs_filesystems +""" + +ACCESS_POINT_PATH_SHOULD_NOT_BE_ROOT = """ +insert into aws_policy_results +SELECT + :1 as execution_time, + :2 as framework, + :3 as check_id, + 'EFS access points should enforce a root directory' as title, + account_id, + arn as resource_id, + CASE + WHEN root_directory:Path::STRING = '/' THEN 'fail' + ELSE 'pass' + END as status +FROM + aws_efs_access_points +""" + +ACCESS_POINT_ENFORCE_USER_IDENTITY = """ +insert into aws_policy_results +SELECT + :1 as execution_time, + :2 as framework, + :3 as check_id, + 'EFS access points should enforce a user identity' as title, + account_id, + arn as resource_id, + CASE + WHEN posix_user IS NULL + OR posix_user:uid::STRING IS NULL + OR posix_user:gid::STRING IS NULL + THEN 'fail' + ELSE 'pass' + END as status +FROM + aws_efs_access_points """ \ No newline at end of file diff --git a/aws/foundational_security/snowflake/sections.py b/aws/foundational_security/snowflake/sections.py index dd6c69d77..6e8dbc8f5 100644 --- a/aws/foundational_security/snowflake/sections.py +++ b/aws/foundational_security/snowflake/sections.py @@ -163,6 +163,10 @@ def execute_efs(conn: SnowflakeConnection, execution_time: datetime.datetime): conn.cursor().execute(efs.UNENCRYPTED_EFS_FILESYSTEMS, (execution_time, FRAMEWORK, 'efs.1')) print("Executing check efs.2") conn.cursor().execute(efs.EFS_FILESYSTEMS_WITH_DISABLED_BACKUPS, (execution_time, FRAMEWORK, 'efs.2')) + print("Executing check efs.3") + conn.cursor().execute(efs.ACCESS_POINT_PATH_SHOULD_NOT_BE_ROOT, (execution_time, FRAMEWORK, 'efs.3')) + print("Executing check efs.4") + conn.cursor().execute(efs.ACCESS_POINT_ENFORCE_USER_IDENTITY, (execution_time, FRAMEWORK, 'efs.4')) def execute_elastic_beanstalk(conn: SnowflakeConnection, execution_time: datetime.datetime): print("Running section: elastic_beanstalk")