From d3c805ba9dc863cb08f7c3d3ccc7d23605fc8961 Mon Sep 17 00:00:00 2001 From: Jonathan Sarig <73023114+john-s58@users.noreply.github.com> Date: Mon, 31 Jul 2023 18:12:11 +0300 Subject: [PATCH] feat: Added queries for cloudbuild 3 to 5 (#32) * added queries for cloudbuild 3 to 5 * fix: Fixed typo in codebuld.5 query * Update aws/foundational_security/snowflake/queries/codebuild.py fixed typo 'else' -> 'failed' Co-authored-by: Jason Kao <100613312+jsonpr@users.noreply.github.com> --------- Co-authored-by: Jason Kao <100613312+jsonpr@users.noreply.github.com> --- .../snowflake/queries/codebuild.py | 49 +++++++++++++++++++ .../snowflake/sections.py | 6 +++ 2 files changed, 55 insertions(+) diff --git a/aws/foundational_security/snowflake/queries/codebuild.py b/aws/foundational_security/snowflake/queries/codebuild.py index f42383f4a..3b92ed43d 100644 --- a/aws/foundational_security/snowflake/queries/codebuild.py +++ b/aws/foundational_security/snowflake/queries/codebuild.py @@ -43,3 +43,52 @@ end as status from aws_codebuild_projects, LATERAL FLATTEN(input => environment:EnvironmentVariables) as e """ + +S3_LOGS_ENCRYPTED = """ +insert into aws_policy_results +select + :1 as execution_time, + :2 as framework, + :3 as check_id, + 'CodeBuild S3 logs should be encrypted' as title, + account_id, + arn as resource_id, + CASE + WHEN logs_config:S3Logs:encryptionDisabled::boolean then 'fail' + ELSE 'pass' + END as status +from aws_codebuild_projects +""" + +PROJECT_ENVIRONMENT_HAS_LOGGING_AWS_CONFIGURATION = """ +insert into aws_policy_results +select + :1 as execution_time, + :2 as framework, + :3 as check_id, + 'CodeBuild project environments should have a logging AWS Configuration' as title, + account_id, + arn as resource_id, + CASE + WHEN logs_config:S3Logs:status::text = 'ENABLED' then 'pass' + WHEN logs_config:CloudWatchLogs:status::text = 'ENABLED' then 'pass' + ELSE 'fail' + END as status +from aws_codebuild_projects +""" + +PROJECT_ENVIRONMENT_SHOULD_NOT_HAVE_PRIVILEGED_MODE = """ +insert into aws_policy_results +select + :1 as execution_time, + :2 as framework, + :3 as check_id, + 'CodeBuild project environments should not have privileged mode enabled' as title, + account_id, + arn as resource_id, + CASE + WHEN logs_config:environment:PrivilegedMode::boolean then 'fail' + ELSE 'pass' + END as status +from aws_codebuild_projects +""" \ No newline at end of file diff --git a/aws/foundational_security/snowflake/sections.py b/aws/foundational_security/snowflake/sections.py index 2c9087bd4..dbd57df66 100644 --- a/aws/foundational_security/snowflake/sections.py +++ b/aws/foundational_security/snowflake/sections.py @@ -90,6 +90,12 @@ def execute_codebuild(conn: SnowflakeConnection, execution_time: datetime.dateti conn.cursor().execute(codebuild.CHECK_OAUTH_USAGE_FOR_SOURCES, (execution_time, FRAMEWORK, 'codebuild.1')) print("Running check: codebuild.2") conn.cursor().execute(codebuild.CHECK_ENVIRONMENT_VARIABLES, (execution_time, FRAMEWORK, 'codebuild.2')) + print("Running check: codebuild.3") + conn.cursor().execute(codebuild.S3_LOGS_ENCRYPTED, (execution_time, FRAMEWORK, 'codebuild.3')) + print("Running check: codebuild.4") + conn.cursor().execute(codebuild.PROJECT_ENVIRONMENT_HAS_LOGGING_AWS_CONFIGURATION, (execution_time, FRAMEWORK, 'codebuild.4')) + print("Running check: codebuild.5") + conn.cursor().execute(codebuild.PROJECT_ENVIRONMENT_SHOULD_NOT_HAVE_PRIVILEGED_MODE, (execution_time, FRAMEWORK, 'codebuild.5')) def execute_dms(conn: SnowflakeConnection, execution_time: datetime.datetime): print("Running section: dms")