feat: Added queries for cloudbuild 3 to 5 (#32)

* added queries for cloudbuild 3 to 5 * fix: Fixed typo in codebuld.5 query * Update aws/foundational_security/snowflake/queries/codebuild.py fixed typo 'else' -> 'failed' Co-authored-by: Jason Kao <[email protected]> --------- Co-authored-by: Jason Kao <[email protected]>
cloudquery · Jul 31, 2023 · d3c805b · d3c805b
1 parent 652ec3d
commit d3c805b
Show file tree

Hide file tree

Showing 2 changed files with 55 additions and 0 deletions.
diff --git a/aws/foundational_security/snowflake/queries/codebuild.py b/aws/foundational_security/snowflake/queries/codebuild.py
@@ -43,3 +43,52 @@
     end as status
 from aws_codebuild_projects, LATERAL FLATTEN(input => environment:EnvironmentVariables) as e
 """
+
+S3_LOGS_ENCRYPTED = """
+insert into aws_policy_results
+select 
+    :1 as execution_time,
+    :2 as framework,
+    :3 as check_id,
+    'CodeBuild S3 logs should be encrypted' as title,
+    account_id,
+    arn as resource_id,
+    CASE
+    WHEN logs_config:S3Logs:encryptionDisabled::boolean then 'fail'
+    ELSE 'pass'
+    END as status
+from aws_codebuild_projects
+"""
+
+PROJECT_ENVIRONMENT_HAS_LOGGING_AWS_CONFIGURATION = """
+insert into aws_policy_results
+select 
+    :1 as execution_time,
+    :2 as framework,
+    :3 as check_id,
+    'CodeBuild project environments should have a logging AWS Configuration' as title,
+    account_id,
+    arn as resource_id,
+    CASE
+    WHEN logs_config:S3Logs:status::text = 'ENABLED' then 'pass'
+    WHEN logs_config:CloudWatchLogs:status::text = 'ENABLED' then 'pass'
+    ELSE 'fail'
+    END as status
+from aws_codebuild_projects
+"""
+
+PROJECT_ENVIRONMENT_SHOULD_NOT_HAVE_PRIVILEGED_MODE = """
+insert into aws_policy_results
+select 
+    :1 as execution_time,
+    :2 as framework,
+    :3 as check_id,
+    'CodeBuild project environments should not have privileged mode enabled' as title,
+    account_id,
+    arn as resource_id,
+    CASE
+    WHEN logs_config:environment:PrivilegedMode::boolean then 'fail'
+    ELSE 'pass'
+    END as status
+from aws_codebuild_projects
+"""
diff --git a/aws/foundational_security/snowflake/sections.py b/aws/foundational_security/snowflake/sections.py
@@ -90,6 +90,12 @@ def execute_codebuild(conn: SnowflakeConnection, execution_time: datetime.dateti
     conn.cursor().execute(codebuild.CHECK_OAUTH_USAGE_FOR_SOURCES, (execution_time, FRAMEWORK, 'codebuild.1'))
     print("Running check: codebuild.2")
     conn.cursor().execute(codebuild.CHECK_ENVIRONMENT_VARIABLES, (execution_time, FRAMEWORK, 'codebuild.2'))
+    print("Running check: codebuild.3")
+    conn.cursor().execute(codebuild.S3_LOGS_ENCRYPTED, (execution_time, FRAMEWORK, 'codebuild.3'))
+    print("Running check: codebuild.4")
+    conn.cursor().execute(codebuild.PROJECT_ENVIRONMENT_HAS_LOGGING_AWS_CONFIGURATION, (execution_time, FRAMEWORK, 'codebuild.4'))
+    print("Running check: codebuild.5")
+    conn.cursor().execute(codebuild.PROJECT_ENVIRONMENT_SHOULD_NOT_HAVE_PRIVILEGED_MODE, (execution_time, FRAMEWORK, 'codebuild.5'))
 
 def execute_dms(conn: SnowflakeConnection, execution_time: datetime.datetime):
     print("Running section: dms")