Skip to content

Commit 1ffa301

Browse files
kkvinjamkkvinjam
authored
Merge pull request #79 from aws-ia/devel
Scoutsuite automation test
2 parents dccf995 + 72b81f7 commit 1ffa301

13 files changed

+64
-63
lines changed

.gitignore

+7-1
Original file line numberDiff line numberDiff line change
@@ -185,4 +185,10 @@ aggregated_results.txt
185185
lambda.zip
186186

187187
# Visual Studio Code IDE
188-
.vscode/
188+
.vscode/
189+
190+
# Scoutsuite files
191+
/scoutsuite-report/
192+
scoutsuite-report.zip
193+
scoutsuite_sysout.txt
194+
scoutsuite_s3_filename.txt

.project_automation/functional_tests/entrypoint.sh

+7-3
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,9 @@ PROJECT_TYPE_PATH=${BASE_PATH}/projecttype
88

99
cd ${PROJECT_PATH}
1010

11+
# Retrieve the AWS account ID and store it in a variable
12+
AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
13+
1114
cleanup_region() {
1215
echo "Cleanup running in region: $1"
1316
export AWS_DEFAULT_REGION=$1
@@ -24,15 +27,16 @@ cleanup_all_regions() {
2427
}
2528

2629
run_test() {
27-
echo "Running e2e test"
30+
echo "Running e2e test: $1"
2831
cleanup_all_regions
2932
echo $AWS_DEFAULT_REGION
3033
unset AWS_DEFAULT_REGION
3134
echo $AWS_DEFAULT_REGION
32-
taskcat test run
35+
taskcat test run -n -t $1
36+
.project_automation/functional_tests/scoutsuite/scoutsuite.sh
3337
}
3438
# Run taskcat e2e test
35-
run_test
39+
run_test "cfn-abi-lacework-polygraph-multi-org-multi-sub-mapping"
3640

3741
## Executing ash tool
3842

.project_automation/functional_tests/entrypoint_scotsuite.sh

-55
This file was deleted.

.project_automation/functional_tests/abi-cloudtrail-no-encryption-with-kms.json .project_automation/functional_tests/scoutsuite/abi-cloudtrail-no-encryption-with-kms.json

File renamed without changes.

.project_automation/functional_tests/abi-iam-assume-role-lacks-external-id-and-mfa.json .project_automation/functional_tests/scoutsuite/abi-iam-assume-role-lacks-external-id-and-mfa.json

File renamed without changes.

.project_automation/functional_tests/abi-scoutsuite-custom-ruleset.json .project_automation/functional_tests/scoutsuite/abi-scoutsuite-custom-ruleset.json

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
{
2-
"about": "This is a simplified ruleset intended for use by CDO Securtiy Certifiers and is maintained by Amazon's CloudSecurity team.",
2+
"about": "This is a simplified ruleset intended for use with AWS ABI test environments.",
33
"rules": {
44
"cloudtrail-not-configured.json": [
55
{

.project_automation/functional_tests/create-scoutsuite-custom-rule.py .project_automation/functional_tests/scoutsuite/create-scoutsuite-custom-rule.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,7 @@ def create_scoutsuite_custom_rule_file(file_name):
4040
if not os.path.exists(scoutsuite_cloudtrail_json_file_path):
4141
# If the file does not exist, create it
4242
# Source path
43-
src = '.project_automation/functional_tests/'+file_name
43+
src = '.project_automation/functional_tests/scoutsuite/'+file_name
4444
copy_file(src, scoutsuite_cloudtrail_json_file_path)
4545
else:
4646
logging.info(f'File {scoutsuite_cloudtrail_json_file_path} already exists')

.project_automation/functional_tests/lambda_functions/source/lambda_s3_presignedurl/lambda_function.py .project_automation/functional_tests/scoutsuite/lambda_functions/source/lambda_s3_presignedurl/lambda_function.py

File renamed without changes.

.project_automation/functional_tests/lambda_functions/source/lambda_s3_presignedurl/requirements.txt .project_automation/functional_tests/scoutsuite/lambda_functions/source/lambda_s3_presignedurl/requirements.txt

File renamed without changes.

.project_automation/functional_tests/lambda_s3_presignedurl.yaml .project_automation/functional_tests/scoutsuite/lambda_s3_presignedurl.yaml

File renamed without changes.

.project_automation/functional_tests/process-scoutsuite-report.py .project_automation/functional_tests/scoutsuite/process-scoutsuite-report.py

+4-2
Original file line numberDiff line numberDiff line change
@@ -81,7 +81,7 @@ def create_lambda_s3_presignedurl():
8181
'''Function that creates the Lambda function that generates S3 presigned URLs'''
8282

8383
# Create the ZIP deployment package for Lambda
84-
lambda_zipped_code = zip_folder_to_bytesio('./.project_automation/functional_tests/lambda_functions/source/lambda_s3_presignedurl')
84+
lambda_zipped_code = zip_folder_to_bytesio('./.project_automation/functional_tests/scoutsuite/lambda_functions/source/lambda_s3_presignedurl')
8585
lambda_zipped_code.seek(0) # Reset the cursor of the BytesIO object to the beginning
8686

8787
s3_client = session.client('s3')
@@ -95,7 +95,7 @@ def create_lambda_s3_presignedurl():
9595
# Use the session to create a client for CloudFormation
9696
cf_client = session.client('cloudformation')
9797

98-
with open('./.project_automation/functional_tests/lambda_s3_presignedurl.yaml', 'r') as file:
98+
with open('./.project_automation/functional_tests/scoutsuite/lambda_s3_presignedurl.yaml', 'r') as file:
9999
template_body = file.read()
100100
# Check if the stack already exists
101101
try:
@@ -277,6 +277,8 @@ def upload_scoutsuite_results_zip_to_s3(scoutsuite_zip_file_path, zip_name):
277277
s3_file_with_key = time_key + '-' + zip_name
278278
# Upload the Scoutsuite results zip to an S3 bucket
279279
s3.upload_file(scoutsuite_zip_file_path, bucket_name, s3_file_with_key)
280+
with open("scoutsuite_s3_filename.txt", "w") as file:
281+
file.write(str(s3_file_with_key))
280282

281283
except ClientError as error:
282284
logging.exception (error)

.project_automation/functional_tests/scoutsuite/scoutsuite.sh

+40
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
#!/bin/bash -ex
2+
3+
4+
## NOTE: paths may differ when running in a managed task. To ensure behavior is consistent between
5+
# managed and local tasks always use these variables for the project and project type path
6+
PROJECT_PATH=${BASE_PATH}/project
7+
PROJECT_TYPE_PATH=${BASE_PATH}/projecttype
8+
9+
cd ${PROJECT_PATH}
10+
11+
# Retrieve the AWS account ID and store it in a variable
12+
AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
13+
14+
run_scoutsuite() {
15+
#Create Scoutsuite security scan custom rule
16+
python3 .project_automation/functional_tests/scoutsuite/create-scoutsuite-custom-rule.py
17+
# Execute Scoutsuite security scan
18+
scout aws -r us-east-1 --ruleset .project_automation/functional_tests/scoutsuite/abi-scoutsuite-custom-ruleset.json --no-browser --max-rate 5 --max-workers 5 -f
19+
# Upload Scoutsuite security scan results to S3 bucket named scoutsuite-results-aws-AWS-ACCOUNT-ID
20+
python3 .project_automation/functional_tests/scoutsuite/process-scoutsuite-report.py
21+
# Delete taskcat e2e test resources
22+
taskcat test clean ALL
23+
process_scoutsuite_report
24+
}
25+
26+
process_scoutsuite_report() {
27+
# Check Scoutsuite security scan result for Danger level findings (Non-0 exit code)
28+
scoutsuite_sysout_result=$(cat scoutsuite_sysout.txt)
29+
scoutsuite_s3_filename=$(cat scoutsuite_s3_filename.txt)
30+
rm scoutsuite_sysout.txt
31+
rm scoutsuite_s3_filename.txt
32+
if [ "$scoutsuite_sysout_result" -ne 0 ]; then
33+
# The value is non-zero, indicating Scoutsuite report needs to be checked for security issues
34+
echo "Scoutsuite report contains security issues. For details please check the log messages above or the file $scoutsuite_s3_filename in the S3 bucket named scoutsuite-results-aws-$AWS_ACCOUNT_ID in the AWS test account provided by the ABI team."
35+
exit 1
36+
fi
37+
}
38+
39+
#Run Scoutsuite security test
40+
run_scoutsuite

scripts/cleanup_config.json

+4
Original file line numberDiff line numberDiff line change
@@ -188,5 +188,9 @@
188188
{
189189
"Type" : "STACK",
190190
"Filter" : "tCaT-cfn-abi-lacework-polygraph-"
191+
},
192+
{
193+
"Type" : "STACK",
194+
"Filter" : "Lambda-S3-PresignedURL"
191195
}
192196
]

0 commit comments

Comments
 (0)