From f7b59e1d0363dbfa3c5591cc050e8acc233c5300 Mon Sep 17 00:00:00 2001 From: Darren Dao Date: Wed, 14 Dec 2022 10:24:17 -0800 Subject: [PATCH] aws - account - managed config rule (#7029) --- c7n/filters/missing.py | 18 + c7n/resources/account.py | 204 ++++++++ c7n/resources/config.py | 106 +++- .../config.DescribeConfigRules_1.json | 482 ++++++++++++++++++ .../config.DescribeConfigRules_2.json | 475 +++++++++++++++++ .../config.DescribeConfigRules_3.json | 463 +++++++++++++++++ .../config.DescribeConfigRules_4.json | 475 +++++++++++++++++ .../config.DescribeConfigRules_5.json | 442 ++++++++++++++++ .../config.DescribeConfigRules_6.json | 444 ++++++++++++++++ .../config.DescribeConfigRules_7.json | 431 ++++++++++++++++ .../config.DescribeConfigRules_8.json | 252 +++++++++ ...g.DescribeRemediationConfigurations_1.json | 31 ++ .../tagging.GetResources_1.json | 1 + .../config.DeleteConfigRule_1.json | 6 + ...nfig.DeleteRemediationConfiguration_1.json | 6 + .../config.DescribeConfigRules_1.json | 30 ++ .../config.DescribeConfigRules_2.json | 30 ++ ...g.DescribeRemediationConfigurations_1.json | 31 ++ .../config.PutConfigRule_1.json | 6 + ...config.PutRemediationConfigurations_1.json | 7 + .../iam.ListAccountAliases_1.json | 10 + .../iam.ListAccountAliases_2.json | 10 + tests/test_account.py | 97 ++++ tests/test_config.py | 69 +++ 24 files changed, 4125 insertions(+), 1 deletion(-) create mode 100644 tests/data/placebo/test_config_rule_remediation/config.DescribeConfigRules_1.json create mode 100644 tests/data/placebo/test_config_rule_remediation/config.DescribeConfigRules_2.json create mode 100644 tests/data/placebo/test_config_rule_remediation/config.DescribeConfigRules_3.json create mode 100644 tests/data/placebo/test_config_rule_remediation/config.DescribeConfigRules_4.json create mode 100644 tests/data/placebo/test_config_rule_remediation/config.DescribeConfigRules_5.json create mode 100644 tests/data/placebo/test_config_rule_remediation/config.DescribeConfigRules_6.json create mode 100644 tests/data/placebo/test_config_rule_remediation/config.DescribeConfigRules_7.json create mode 100644 tests/data/placebo/test_config_rule_remediation/config.DescribeConfigRules_8.json create mode 100644 tests/data/placebo/test_config_rule_remediation/config.DescribeRemediationConfigurations_1.json create mode 100644 tests/data/placebo/test_config_rule_remediation/tagging.GetResources_1.json create mode 100644 tests/data/placebo/test_toggle_config_managed_rule/config.DeleteConfigRule_1.json create mode 100644 tests/data/placebo/test_toggle_config_managed_rule/config.DeleteRemediationConfiguration_1.json create mode 100644 tests/data/placebo/test_toggle_config_managed_rule/config.DescribeConfigRules_1.json create mode 100644 tests/data/placebo/test_toggle_config_managed_rule/config.DescribeConfigRules_2.json create mode 100644 tests/data/placebo/test_toggle_config_managed_rule/config.DescribeRemediationConfigurations_1.json create mode 100644 tests/data/placebo/test_toggle_config_managed_rule/config.PutConfigRule_1.json create mode 100644 tests/data/placebo/test_toggle_config_managed_rule/config.PutRemediationConfigurations_1.json create mode 100644 tests/data/placebo/test_toggle_config_managed_rule/iam.ListAccountAliases_1.json create mode 100644 tests/data/placebo/test_toggle_config_managed_rule/iam.ListAccountAliases_2.json diff --git a/c7n/filters/missing.py b/c7n/filters/missing.py index b9f49b4f667..f3d49f94e09 100644 --- a/c7n/filters/missing.py +++ b/c7n/filters/missing.py @@ -14,6 +14,24 @@ class Missing(Filter): Intended for use at a logical account/subscription/project level This works as an effectively an embedded policy thats evaluated. + + :example: + + Notify if an s3 bucket is missing + + .. code-block:: yaml + + policies: + - name: missing-s3-bucket + resource: account + filters: + - type: missing + policy: + resource: s3 + filters: + - Name: my-bucket + actions: + - notify """ schema = type_schema( 'missing', diff --git a/c7n/resources/account.py b/c7n/resources/account.py index 805680c123a..1a422b5c00d 100644 --- a/c7n/resources/account.py +++ b/c7n/resources/account.py @@ -6,6 +6,7 @@ import time import datetime import jmespath +from contextlib import suppress from botocore.exceptions import ClientError from fnmatch import fnmatch from dateutil.parser import parse as parse_date @@ -1944,6 +1945,209 @@ def process_account(self, account): return True +@actions.register('toggle-config-managed-rule') +class ToggleConfigManagedRule(BaseAction): + """Enables or disables an AWS Config Managed Rule + + :example: + + .. code-block:: yaml + + policies: + - name: config-managed-s3-bucket-public-write-remediate-event + description: | + This policy detects if S3 bucket allows public write by the bucket policy + or ACL and remediates. + comment: | + This policy detects if S3 bucket policy or ACL allows public write access. + When the bucket is evaluated as 'NON_COMPLIANT', the action + 'AWS-DisableS3BucketPublicReadWrite' is triggered and remediates. + resource: account + filters: + - type: missing + policy: + resource: config-rule + filters: + - type: remediation + rule_name: &rule_name 'config-managed-s3-bucket-public-write-remediate-event' + remediation: &remediation-config + TargetId: AWS-DisableS3BucketPublicReadWrite + Automatic: true + MaximumAutomaticAttempts: 5 + RetryAttemptSeconds: 211 + Parameters: + AutomationAssumeRole: + StaticValue: + Values: + - 'arn:aws:iam::{account_id}:role/myrole' + S3BucketName: + ResourceValue: + Value: RESOURCE_ID + actions: + - type: toggle-config-managed-rule + rule_name: *rule_name + managed_rule_id: S3_BUCKET_PUBLIC_WRITE_PROHIBITED + resource_types: + - 'AWS::S3::Bucket' + rule_parameters: '{}' + remediation: *remediation-config + """ + + permissions = ( + 'config:DescribeConfigRules', + 'config:DescribeRemediationConfigurations', + 'config:PutRemediationConfigurations', + 'config:PutConfigRule', + ) + + schema = type_schema('toggle-config-managed-rule', + enabled={'type': 'boolean', 'default': True}, + rule_name={'type': 'string'}, + rule_prefix={'type': 'string'}, + managed_rule_id={'type': 'string'}, + resource_types={'type': 'array', 'items': + {'pattern': '^AWS::*', 'type': 'string'}}, + resource_tag={ + 'type': 'object', + 'properties': { + 'key': {'type': 'string'}, + 'value': {'type': 'string'}, + }, + 'required': ['key', 'value'], + }, + resource_id={'type': 'string'}, + rule_parameters={'type': 'string'}, + remediation={ + 'type': 'object', + 'properties': { + 'TargetType': {'type': 'string'}, + 'TargetId': {'type': 'string'}, + 'Automatic': {'type': 'boolean'}, + 'Parameters': {'type': 'object'}, + 'MaximumAutomaticAttempts': { + 'type': 'integer', + 'minimum': 1, 'maximum': 25, + }, + 'RetryAttemptSeconds': { + 'type': 'integer', + 'minimum': 1, 'maximum': 2678000, + }, + 'ExecutionControls': {'type': 'object'}, + }, + }, + tags={'type': 'object'}, + required=['rule_name'], + ) + + def validate(self): + if ( + self.data.get('enabled', True) and + not self.data.get('managed_rule_id') + ): + raise PolicyValidationError("managed_rule_id required to enable a managed rule") + return self + + def process(self, accounts): + client = local_session(self.manager.session_factory).client('config') + rule = self.ConfigManagedRule(self.data) + params = self.get_rule_params(rule) + + if self.data.get('enabled', True): + client.put_config_rule(**params) + + if rule.remediation: + remediation_params = self.get_remediation_params(rule) + client.put_remediation_configurations( + RemediationConfigurations=[remediation_params] + ) + else: + with suppress(client.exceptions.NoSuchRemediationConfigurationException): + client.delete_remediation_configuration( + ConfigRuleName=rule.name + ) + + with suppress(client.exceptions.NoSuchConfigRuleException): + client.delete_config_rule( + ConfigRuleName=rule.name + ) + + def get_rule_params(self, rule): + params = dict( + ConfigRuleName=rule.name, + Description=rule.description, + Source={ + 'Owner': 'AWS', + 'SourceIdentifier': rule.managed_rule_id, + }, + InputParameters=rule.rule_parameters + ) + + # A config rule scope can include one or more resource types, + # a combination of a tag key and value, or a combination of + # one resource type and one resource ID + params.update({'Scope': {'ComplianceResourceTypes': rule.resource_types}}) + if rule.resource_tag: + params.update({'Scope': { + 'TagKey': rule.resource_tag['key'], + 'TagValue': rule.resource_tag['value']} + }) + elif rule.resource_id: + params.update({'Scope': {'ComplianceResourceId': rule.resource_id}}) + + return dict(ConfigRule=params) + + def get_remediation_params(self, rule): + rule.remediation['ConfigRuleName'] = rule.name + if 'TargetType' not in rule.remediation: + rule.remediation['TargetType'] = 'SSM_DOCUMENT' + return rule.remediation + + class ConfigManagedRule: + """Wraps the action data into an AWS Config Managed Rule. + """ + + def __init__(self, data): + self.data = data + + @property + def name(self): + prefix = self.data.get('rule_prefix', 'custodian-') + return "%s%s" % (prefix, self.data.get('rule_name', '')) + + @property + def description(self): + return self.data.get( + 'description', 'cloud-custodian AWS Config Managed Rule policy') + + @property + def tags(self): + return self.data.get('tags', {}) + + @property + def resource_types(self): + return self.data.get('resource_types', []) + + @property + def managed_rule_id(self): + return self.data.get('managed_rule_id', '') + + @property + def resource_tag(self): + return self.data.get('resource_tag', {}) + + @property + def resource_id(self): + return self.data.get('resource_id', '') + + @property + def rule_parameters(self): + return self.data.get('rule_parameters', '') + + @property + def remediation(self): + return self.data.get('remediation', {}) + + @filters.register('ses-agg-send-stats') class SesAggStats(ValueFilter): """This filter queries SES send statistics and aggregates all diff --git a/c7n/resources/config.py b/c7n/resources/config.py index 8da4b39553d..df068282676 100644 --- a/c7n/resources/config.py +++ b/c7n/resources/config.py @@ -1,7 +1,7 @@ # Copyright The Cloud Custodian Authors. # SPDX-License-Identifier: Apache-2.0 from c7n.actions import BaseAction -from c7n.filters import ValueFilter, CrossAccountAccessFilter +from c7n.filters import Filter, ValueFilter, CrossAccountAccessFilter from c7n.manager import resources from c7n.resolver import ValuesFrom from c7n.query import QueryResourceManager, TypeInfo @@ -126,3 +126,107 @@ def process(self, resources): for r in resources: client.delete_config_rule( ConfigRuleName=r['ConfigRuleName']) + + +@ConfigRule.filter_registry.register('remediation') +class RuleRemediation(Filter): + """Filter to look for config rules that match the given remediation configuration settings + + This filter can be used in conjunction with account missing filter to look for + managed config rules with missing remediation and to enable it accordingly. + + :example: + + .. code-block:: yaml + + policies: + - name: config-managed-s3-bucket-public-write-remediate-event-with-filter + description: | + This policy detects if S3 bucket allows public write by the bucket policy + or ACL and remediates. + comment: | + This policy detects if S3 bucket policy or ACL allows public write access. + When the bucket is evaluated as 'NON_COMPLIANT', the action + 'AWS-DisableS3BucketPublicReadWrite' is triggered and remediates. + resource: account + filters: + - type: missing + policy: + resource: config-rule + filters: + - type: remediation + rule_name: &rule_name 'config-managed-s3-bucket-public-write-remediate-event' + remediation: &remediation-config + TargetId: AWS-DisableS3BucketPublicReadWrite + Automatic: true + MaximumAutomaticAttempts: 5 + RetryAttemptSeconds: 211 + Parameters: + AutomationAssumeRole: + StaticValue: + Values: + - 'arn:aws:iam::{account_id}:role/myrole' + S3BucketName: + ResourceValue: + Value: RESOURCE_ID + actions: + - type: toggle-config-managed-rule + rule_name: *rule_name + managed_rule_id: S3_BUCKET_PUBLIC_WRITE_PROHIBITED + resource_types: + - 'AWS::S3::Bucket' + rule_parameters: '{}' + remediation: *remediation-config + """ + + schema = type_schema('remediation', + rule_name={'type': 'string'}, + remediation={ + 'type': 'object', + 'properties': { + 'target_type': {'type': 'string'}, + 'target_id': {'type': 'string'}, + 'automatic': {'type': 'boolean'}, + 'parameters': {'type': 'object'}, + 'maximum_automatic_attempts': { + 'type': 'integer', + 'minimum': 1, 'maximum': 25, + }, + 'retry_attempt_seconds': { + 'type': 'integer', + 'minimum': 1, 'maximum': 2678000, + }, + 'execution_controls': {'type': 'object'}, + }, + }, + ) + + schema_alias = False + permissions = ('config:DescribeRemediationConfigurations',) + + def process(self, resources, event=None): + prefix = self.data.get('rule_prefix', 'custodian-') + rule_name = "%s%s" % (prefix, self.data['rule_name']) + results = [r for r in resources if r['ConfigRuleName'] == rule_name] + + # no matched rule + if not results: + return [] + + client = local_session(self.manager.session_factory).client('config') + resp = client.describe_remediation_configurations( + ConfigRuleNames=[rule_name] + ) + + desired_remediation_config = self.data['remediation'] + desired_remediation_config['ConfigRuleName'] = rule_name + if 'TargetType' not in desired_remediation_config: + desired_remediation_config['TargetType'] = 'SSM_DOCUMENT' + + # check if matched rule has matched remediation configuration + for r in resp.get('RemediationConfigurations', []): + r.pop('Arn', None) # don't include this for comparison + if r == desired_remediation_config: + return results + + return [] diff --git a/tests/data/placebo/test_config_rule_remediation/config.DescribeConfigRules_1.json b/tests/data/placebo/test_config_rule_remediation/config.DescribeConfigRules_1.json new file mode 100644 index 00000000000..3f51b066176 --- /dev/null +++ b/tests/data/placebo/test_config_rule_remediation/config.DescribeConfigRules_1.json @@ -0,0 +1,482 @@ +{ + "status_code": 200, + "data": { + "ConfigRules": [ + { + "ConfigRuleName": "FMManagedWafv2GlobalResourceConfigRule12042ace-adda-41bd-8ddf-18c5764e44fc", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/fms.amazonaws.com/config-rule-8cw6rk", + "ConfigRuleId": "config-rule-8cw6rk", + "Description": "Config rule for tracking changes to fms wafv2 policy:12042ace-adda-41bd-8ddf-18c5764e44fc", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::CloudFront::Distribution" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "FMS_WEBACL_RESOURCE_POLICY_CHECK_V2" + }, + "InputParameters": "{\"webAclArn\":\"arn:aws:wafv2:us-east-1:644160558196:global/webacl/FMManagedWebACLV2-FMS-Intuit-Only-Compliance-GLOBAL-1644348455514/e287dac6-a33f-4d43-9c2a-d4a0178f1900\",\"policyId\":\"12042ace-adda-41bd-8ddf-18c5764e44fc\",\"resourceTags\":\"{\\\"intu-waf\\\":[\\\"intuitonly\\\"]}\",\"excludeResourceTags\":\"false\"}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "fms.amazonaws.com" + }, + { + "ConfigRuleName": "FMManagedWafv2GlobalResourceConfigRule92bb1456-6820-47d5-97a2-08be3ff01358", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/fms.amazonaws.com/config-rule-jwhxsv", + "ConfigRuleId": "config-rule-jwhxsv", + "Description": "Config rule for tracking changes to fms wafv2 policy:92bb1456-6820-47d5-97a2-08be3ff01358", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::CloudFront::Distribution" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "FMS_WEBACL_RESOURCE_POLICY_CHECK_V2" + }, + "InputParameters": "{\"webAclArn\":\"arn:aws:wafv2:us-east-1:644160558196:global/webacl/FMManagedWebACLV2-FMS-ECB-Compliance-GLOBAL-1644348474601/04a1f3dd-afb1-4b43-94c7-17741b845cb4\",\"policyId\":\"92bb1456-6820-47d5-97a2-08be3ff01358\",\"resourceTags\":\"{\\\"intu-waf\\\":[\\\"ecb\\\"]}\",\"excludeResourceTags\":\"false\"}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "fms.amazonaws.com" + }, + { + "ConfigRuleName": "FMManagedWafv2GlobalResourceConfigRule9d99fb72-9b82-4c59-9e7e-023cd2fea29a", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/fms.amazonaws.com/config-rule-ij8v5s", + "ConfigRuleId": "config-rule-ij8v5s", + "Description": "Config rule for tracking changes to fms wafv2 policy:9d99fb72-9b82-4c59-9e7e-023cd2fea29a", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::CloudFront::Distribution" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "FMS_WEBACL_RESOURCE_POLICY_CHECK_V2" + }, + "InputParameters": "{\"webAclArn\":\"arn:aws:wafv2:us-east-1:644160558196:global/webacl/FMManagedWebACLV2-FMS-Intuit-ApiGW-Compliance-GLOBAL-1644348481240/6339c80b-4b7d-4235-a32c-29e0f097091d\",\"policyId\":\"9d99fb72-9b82-4c59-9e7e-023cd2fea29a\",\"resourceTags\":\"{\\\"intu-waf\\\":[\\\"intuit-apigw\\\"]}\",\"excludeResourceTags\":\"false\"}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "fms.amazonaws.com" + }, + { + "ConfigRuleName": "FMManagedWafv2RegionalResourceConfigRule62691297-b3c2-406c-a663-6e14d5508329", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/fms.amazonaws.com/config-rule-3ybo6u", + "ConfigRuleId": "config-rule-3ybo6u", + "Description": "Config rule for tracking changes to fms wafv2 policy:62691297-b3c2-406c-a663-6e14d5508329", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::ApiGateway::Stage", + "AWS::ElasticLoadBalancingV2::LoadBalancer" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "FMS_WEBACL_RESOURCE_POLICY_CHECK_V2" + }, + "InputParameters": "{\"webAclArn\":\"arn:aws:wafv2:us-east-1:644160558196:regional/webacl/FMManagedWebACLV2-FMS-ECB-Compliance-US-EAST-1-1644348523123/c5d6908b-78b3-4f3a-a3d7-39b1b60f9927\",\"policyId\":\"62691297-b3c2-406c-a663-6e14d5508329\",\"resourceTags\":\"{\\\"intu-waf\\\":[\\\"ecb\\\"]}\",\"excludeResourceTags\":\"false\"}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "fms.amazonaws.com" + }, + { + "ConfigRuleName": "FMManagedWafv2RegionalResourceConfigRulec6017ea4-01a9-4dcb-81b7-aac864853b36", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/fms.amazonaws.com/config-rule-zntvza", + "ConfigRuleId": "config-rule-zntvza", + "Description": "Config rule for tracking changes to fms wafv2 policy:c6017ea4-01a9-4dcb-81b7-aac864853b36", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::ApiGateway::Stage", + "AWS::ElasticLoadBalancingV2::LoadBalancer" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "FMS_WEBACL_RESOURCE_POLICY_CHECK_V2" + }, + "InputParameters": "{\"webAclArn\":\"arn:aws:wafv2:us-east-1:644160558196:regional/webacl/FMManagedWebACLV2-FMS-Intuit-Only-Compliance-US-EAST-1-1644348540337/56e8f7c5-bb41-453e-8173-f9578887ff30\",\"policyId\":\"c6017ea4-01a9-4dcb-81b7-aac864853b36\",\"resourceTags\":\"{\\\"intu-waf\\\":[\\\"intuitonly\\\"]}\",\"excludeResourceTags\":\"false\"}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "fms.amazonaws.com" + }, + { + "ConfigRuleName": "FMManagedWafv2RegionalResourceConfigRuled1b4c52a-2c26-4a98-b41e-d2b1b3f5a0ee", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/fms.amazonaws.com/config-rule-otqkei", + "ConfigRuleId": "config-rule-otqkei", + "Description": "Config rule for tracking changes to fms wafv2 policy:d1b4c52a-2c26-4a98-b41e-d2b1b3f5a0ee", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::ApiGateway::Stage", + "AWS::ElasticLoadBalancingV2::LoadBalancer" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "FMS_WEBACL_RESOURCE_POLICY_CHECK_V2" + }, + "InputParameters": "{\"webAclArn\":\"arn:aws:wafv2:us-east-1:644160558196:regional/webacl/FMManagedWebACLV2-FMS-AWS-CloudFront-Compliance-US-EAST-1-1644348501056/ca6e12c7-e1fe-4f8d-b210-682a75cab490\",\"policyId\":\"d1b4c52a-2c26-4a98-b41e-d2b1b3f5a0ee\",\"resourceTags\":\"{\\\"intu-waf\\\":[\\\"aws-cloudfront\\\"]}\",\"excludeResourceTags\":\"false\"}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "fms.amazonaws.com" + }, + { + "ConfigRuleName": "custodian-config-custom-alb-ecb-set-waf-remediate-event", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-o8b8td", + "ConfigRuleId": "config-rule-o8b8td", + "Description": "Tag intu-waf=ecb and attach ECB WAF if ALB is in the exception list for Development account.\n", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::ElasticLoadBalancingV2::LoadBalancer" + ] + }, + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-alb-ecb-set-waf-remediate-event", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ConfigurationItemChangeNotification" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-alb-ecb-set-waf-remediate-hourly", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-mhzmzl", + "ConfigRuleId": "config-rule-mhzmzl", + "Description": "Tag intu-waf=ecb and attach ECB WAF if ALB is in the exception list for Development account.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-alb-ecb-set-waf-remediate-hourly", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "One_Hour" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-alb-ecb-waf-report-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-lkmpyi", + "ConfigRuleId": "config-rule-lkmpyi", + "Description": "Check if Firewall Managed FMManagedWebACLV2-FMS-Intuit WAF is attached to Application Loadbalancer in Learning/Development.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-alb-ecb-waf-report-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "One_Hour" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-alb-intuit-set-waf-remediate-event", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-0i0jsu", + "ConfigRuleId": "config-rule-0i0jsu", + "Description": "Tag intu-waf=intuitonly and attach IntuitOnly WAF if ALB is not in the exception list for Learning/Development account.\n", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::ElasticLoadBalancingV2::LoadBalancer" + ] + }, + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-alb-intuit-set-waf-remediate-event", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ConfigurationItemChangeNotification" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-alb-intuit-set-waf-remediate-hourly", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-plmf0i", + "ConfigRuleId": "config-rule-plmf0i", + "Description": "Tag intu-waf=intuitonly and attach IntuitOnly WAF if ALB is not in the exception list for Learning/Development account.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-alb-intuit-set-waf-remediate-hourly", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "One_Hour" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-alb-logging-check-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-xnsub6", + "ConfigRuleId": "config-rule-xnsub6", + "Description": "Policy checks ALB SECURITY LOGGING Attributes for lynx-t058-/alb, if enabled is true then report to ACP as compliance.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-alb-logging-check-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-alb-unset-waf-remediate-event", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-pxnfki", + "ConfigRuleId": "config-rule-pxnfki", + "Description": "Checks if ALB Security Groups only allowing IntuitOnly IPs then add a Tag intu-waf=proxy-intuitonly-apigw and detach WAF.\n", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::ElasticLoadBalancingV2::LoadBalancer" + ] + }, + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-alb-unset-waf-remediate-event", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ConfigurationItemChangeNotification" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-alb-unset-waf-remediate-hourly", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-kg6v88", + "ConfigRuleId": "config-rule-kg6v88", + "Description": "Checks if ALB Security Groups only allowing IntuitOnly IPs then add a Tag intu-waf=proxy-intuitonly-apigw and detach WAF.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-alb-unset-waf-remediate-hourly", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "One_Hour" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-alb-waf-fail-open-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-cvp9vz", + "ConfigRuleId": "config-rule-cvp9vz", + "Description": "Policy checks ALB WAF FAIL Open Attribute, if enabled is true then report to ACP as non-compliance.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-alb-waf-fail-open-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-alb-waf-report-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-5c4uor", + "ConfigRuleId": "config-rule-5c4uor", + "Description": "Check if Firewall Managed WAF is attached to Application Loadbalancer in Learning/Development/Production excluding IKS\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-alb-waf-report-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-alb-waf-tag-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-ne960s", + "ConfigRuleId": "config-rule-ne960s", + "Description": "Probe WAF tag for the new and existing Learning/Development/Production Application Loadbalancer and report COMPLIANT/NONCOMPLIANT.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-alb-waf-tag-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-apigateway-ecb-waf-report-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-wx3nyn", + "ConfigRuleId": "config-rule-wx3nyn", + "Description": "Check if Firewall Managed (IntuitOnly, Intuit-Internal, Intuit-Only4GW or Intuit-ApiGW) WAF is attached to AWS APIgateway in Learning/Development environments and mark it as NonCompliant if not.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-apigateway-ecb-waf-report-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-apigw-set-ecb-waf-remediate-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-ehgu6a", + "ConfigRuleId": "config-rule-ehgu6a", + "Description": "Tag intu-waf=ecb and attach ECB WAF if APIGW stage is in the exception list for development account.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-apigw-set-ecb-waf-remediate-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-apigw-set-ecb-waf-remediate-event", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-h7dsql", + "ConfigRuleId": "config-rule-h7dsql", + "Description": "Tag intu-waf=ecb and attach ECB WAF if APIGW stage is in the exception list for development account.\n", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::ApiGateway::Stage" + ] + }, + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-apigw-set-ecb-waf-remediate-event", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ConfigurationItemChangeNotification" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-apigw-set-intuit-waf-remediate-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-o0aea4", + "ConfigRuleId": "config-rule-o0aea4", + "Description": "Tag intu-waf=intuitonly and attach IntuitOnly WAF if APIGW stage is not in the exception list for development account.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-apigw-set-intuit-waf-remediate-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-apigw-set-intuit-waf-remediate-event", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-pdi93s", + "ConfigRuleId": "config-rule-pdi93s", + "Description": "Tag intu-waf=intuitonly and attach IntuitOnly WAF if APIGW stage is not in the exception list for development account.\n", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::ApiGateway::Stage" + ] + }, + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-apigw-set-intuit-waf-remediate-event", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ConfigurationItemChangeNotification" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-apigw-tls-domain-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-xnylxg", + "ConfigRuleId": "config-rule-xnylxg", + "Description": "Checks on Api Gateway custom domain names security configuration and reports.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-apigw-tls-domain-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-apigw-waf-report-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-snrdtu", + "ConfigRuleId": "config-rule-snrdtu", + "Description": "Check if Firewall Managed (ECB, IntuitOnly, Intuit-Internal, Intuit-Only4GW, Intuit-ApiGW or AWS-CloudFront) WAF is attached to AWS APIgateway in Learning/Development/Production environments and mark it as NonCompliant if not.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-apigw-waf-report-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-appsync-set-intuit-waf-remediate-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-aop8xi", + "ConfigRuleId": "config-rule-aop8xi", + "Description": "Policy checks Appsync Graphql Apis for WAF protection, if wafWebAclArn is not set to a supported waf rule then it is enabled.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-appsync-set-intuit-waf-remediate-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + } + ], + "NextToken": "eyJlbmNyeXB0ZWREYXRhIjpbMzIsMzEsMzAsNzksMTMsLTQ3LDU5LC01MSwtODUsLTM2LDQ2LC01OCwtMTEyLC05LC00OCwtOTMsLTUzLC0xMDIsNTAsMTA4LC05OSwxMDIsMTAzLC0xMjAsLTkzLC02LC04NCwtMTE4LDI4LDk1LC0xMjgsLTcyLC00MiwtNjQsMTA2LC0xNSwyMywtMTcsMTMsLTI4LC0xMDksMTA2LC04OCwtOTYsNDEsMTAzLC0yNSw3OCwxMCwtMTAyLDEzLDEwNyw0NiwxMjQsLTg2LC0xMDcsMjUsNDksLTEzLC0zMywtNjUsMTgsOTIsLTgxLDI2LDAsMTcsMzgsMTIwLDczLDIxLC0xMDYsNzUsLTIyLDgyLC04MywtOTIsMzEsLTkyLC01MCw0NywxNCwtNSw1NywtNzUsMzQsNTEsLTgzLDU4LDU0LC0xNSw4OCwwLC02NywtMTAxLDEwOCwtNjksLTExMCwxMDYsMTAyLC0zMiwtNDcsMTAyLC05NywtOTAsLTYxLC02OSwtODQsOTUsNjMsLTEwMiwxMTIsLTEyNiwtMTksODEsLTk1LC0xMDAsMzgsNzUsLTUxLC04MCw1NCw3NywtNDIsLTUzLDQyLC05NywtMTUsLTIwLDEwMiwwLC0xMjcsODYsLTk0LC0zMSwtODAsMTA2LDgzLDIwLDg0LDk5LDMzLDkwLC05OSw1Niw1MCwxMTEsLTEyMiwtNzUsMTEzLC0yNSw3MywtNDUsMTAwLC04NywtMTEwLC00NCw1OCwtMTAwLC0zNSwtOTIsOTksOTcsLTg2LC0xMDIsLTEzLDI4LDExMCwtNzksLTE2LDM2LDUxLC0xOCwtMjIsODQsLTkxLC02MywxMjEsODIsLTUyLC0zMyw4NSwtNDUsLTMsNjEsLTM1LC03LDEyNyw0OSwtMjcsMTE5LDEyNSwzLDEwMSwtOCwtNzEsNjksLTY5LC04MiwtMTEzLC02OSwtNCwtMzksLTYzLDcxLC03NiwtOTcsMTA2LC0xMDEsLTExNiwtOTEsLTM3LDEyMywxMDEsNTgsNTQsLTg5LC03OSwxMjQsODYsLTIyLDM2LC00MSwtMTEzLC0zNiwtMzUsLTIwLC04MSwxMDgsMzMsLTEyLDksODUsODMsNzgsLTEwMCwtMTIwLDQwLC0xMDMsLTk0LDg1LDMsNzIsNCwtNjQsMzEsMTIsNzQsLTYwLDEwMSw3MSwxMjEsLTY5LC0xMDYsLTU1LC02MSwtMTcsMzUsMTA5XSwibWF0ZXJpYWxTZXRTZXJpYWxOdW1iZXIiOjEsIml2UGFyYW1ldGVyU3BlYyI6eyJpdiI6WzkxLDE4LC00OSwtMTA0LDEyLC02OCw1OSwzMiwxMDcsLTM3LC0xMjEsLTU3LC05OSwtNjYsLTk3LDExMl19fQ==", + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/data/placebo/test_config_rule_remediation/config.DescribeConfigRules_2.json b/tests/data/placebo/test_config_rule_remediation/config.DescribeConfigRules_2.json new file mode 100644 index 00000000000..a23bd15f394 --- /dev/null +++ b/tests/data/placebo/test_config_rule_remediation/config.DescribeConfigRules_2.json @@ -0,0 +1,475 @@ +{ + "status_code": 200, + "data": { + "ConfigRules": [ + { + "ConfigRuleName": "custodian-config-custom-catalog-product-check-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-6arufp", + "ConfigRuleId": "config-rule-6arufp", + "Description": "Policy to check TagOption configuration for Service Catalog products\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-catalog-product-check-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-cf-set-ecb-waf-remediate-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-hktqvw", + "ConfigRuleId": "config-rule-hktqvw", + "Description": "Tag intu-waf=ecb and attach ECB WAF if Cloudfront distro is in the exception list for development account.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-cf-set-ecb-waf-remediate-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-cf-set-ecb-waf-remediate-event", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-vbfznf", + "ConfigRuleId": "config-rule-vbfznf", + "Description": "Tag intu-waf=ecb and attach ECB WAF if Cloudfront distro is in the exception list for development account.\n", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::CloudFront::Distribution" + ] + }, + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-cf-set-ecb-waf-remediate-event", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ConfigurationItemChangeNotification" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-cf-set-intuit-waf-remediate-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-rwvg5a", + "ConfigRuleId": "config-rule-rwvg5a", + "Description": "Tag intu-waf=intuitonly and attach IntuitOnly WAF if Cloudfront distro is not in the exception list for development account.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-cf-set-intuit-waf-remediate-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-cf-set-intuit-waf-remediate-event", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-cv6hku", + "ConfigRuleId": "config-rule-cv6hku", + "Description": "Tag intu-waf=intuitonly and attach IntuitOnly WAF if Cloudfront distro is not in the exception list for development account.\n", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::CloudFront::Distribution" + ] + }, + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-cf-set-intuit-waf-remediate-event", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ConfigurationItemChangeNotification" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-cfn-agienvmgr-report-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-zecyjn", + "ConfigRuleId": "config-rule-zecyjn", + "Description": "checks agi-env-manager-template stack for proper version\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-cfn-agienvmgr-report-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-cloudfront-ecb-waf-report-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-ahywip", + "ConfigRuleId": "config-rule-ahywip", + "Description": "Check if Firewall Managed (IntuitOnly, Intuit-Internal, Intuit-Only4GW or Intuit-ApiGW) WAF is attached to Cloudfront in Learning/Development environments\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-cloudfront-ecb-waf-report-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-cloudfront-s3-origin-tls-acp-event", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-fm3ywy", + "ConfigRuleId": "config-rule-fm3ywy", + "Description": "Notification for any unsupported TLS version in cloudfront\n", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::CloudFront::Distribution" + ] + }, + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-cloudfront-s3-origin-tls-acp-event", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ConfigurationItemChangeNotification" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-cloudfront-tls-acp-event", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-dnxytx", + "ConfigRuleId": "config-rule-dnxytx", + "Description": "Notification for any unsupported cloudfront TLS version in learning accounts\n", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::CloudFront::Distribution" + ] + }, + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-cloudfront-tls-acp-event", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ConfigurationItemChangeNotification" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-cloudfront-waf-report-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-i58tqi", + "ConfigRuleId": "config-rule-i58tqi", + "Description": "Check if Firewall Managed (ECB, IntuitOnly, Intuit-Internal, Intuit-Only4GW or Intuit-ApiGW) WAF is attached to Cloudfront in Learning/Development/Production environments\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-cloudfront-waf-report-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-cloudtrail-enabled-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-hsnzpy", + "ConfigRuleId": "config-rule-hsnzpy", + "Description": "Check if cloudtrail is enabled with multi region selected and s3 bucket defined", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-cloudtrail-enabled-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-dax-cluster-intransit-check-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-c19vki", + "ConfigRuleId": "config-rule-c19vki", + "Description": "IS.031.26 DAX Cluster should be encrypted at in-transit. ACP policy will need to detect that encryption in transit is enabled.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-dax-cluster-intransit-check-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-dax-cluster-nonvpc-check-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-bwp5vd", + "ConfigRuleId": "config-rule-bwp5vd", + "Description": "IS.014.25 Checks whether the DAX Cluster is launched in a VPC or not.\nDAX cluster which is not created under any VPC, it is considered NON_COMPLIANT.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-dax-cluster-nonvpc-check-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-docdbcl-deleteprotect-remediate-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-t9wwyd", + "ConfigRuleId": "config-rule-t9wwyd", + "Description": "ACP Remediation for DocumentDB Clusters to Enable \"Deletion Protection\". PEC Keys: IS003.13-SHBEST_1.0.0_RDS.7-1.0.0\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-docdbcl-deleteprotect-remediate-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-documentdb-tls-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-tehcaj", + "ConfigRuleId": "config-rule-tehcaj", + "Description": "ACP alert to detect if any document db clusters have TLS disabled\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-documentdb-tls-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-ebs-snapshot-public-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-ngw7g5", + "ConfigRuleId": "config-rule-ngw7g5", + "Description": "Check Public permission on snapshot and reports on ACP to reset it as private permissions. Periodically it runs.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-ebs-snapshot-public-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-ec2-instance-profile-role-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-mv1ssg", + "ConfigRuleId": "config-rule-mv1ssg", + "Description": "Alert ACP for any EC2 instances profile which have NO role or instance profile associated.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-ec2-instance-profile-role-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-ec2-ssm-ping-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-2bxmul", + "ConfigRuleId": "config-rule-2bxmul", + "Description": "Check if EC2 instance is listening from SSM\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-ec2-ssm-ping-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-efs-encryption-in-transit-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-qayrtk", + "ConfigRuleId": "config-rule-qayrtk", + "Description": "Checks on EFS security configuration and report on ACP.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-efs-encryption-in-transit-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-eks-atrest-check-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-jlwjbv", + "ConfigRuleId": "config-rule-jlwjbv", + "Description": "CLOP-7364 - Check EKS cluster to verify if EKS envelope encryption is enabled. Report it as violation if it is not enabled. ACP Sub Control: DH.004.20.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-eks-atrest-check-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-eks-logging-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-1fh24b", + "ConfigRuleId": "config-rule-1fh24b", + "Description": "Checks if Logs are enabled on EKS clusters and marks them as non compliant if they are not enabled \n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-eks-logging-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-eks-nonvpc-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-wtlnpx", + "ConfigRuleId": "config-rule-wtlnpx", + "Description": "Check's if Amazon EKS Cluster are deployed within a VPC.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-eks-nonvpc-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-eks-public-quad-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-9garkr", + "ConfigRuleId": "config-rule-9garkr", + "Description": "CLOP-5536 - Check EKS cluster for public access enabled and quad subnet allowed to connect. Report it as violation.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-eks-public-quad-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-eks-subnet-igw-check-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-5v4d3u", + "ConfigRuleId": "config-rule-5v4d3u", + "Description": "Created policy to find subnet configured for EKS Cluster has route to IGW.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-eks-subnet-igw-check-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-elasticache-encryption-at-rest-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-qnc46a", + "ConfigRuleId": "config-rule-qnc46a", + "Description": "This policy will flag if Redis ElastiCache running unencrypted AtRest, since Redis can ben encrypted policy will check if the encryption AtRest attribute for Redis is enabled.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-elasticache-encryption-at-rest-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + } + ], + "NextToken": "eyJlbmNyeXB0ZWREYXRhIjpbLTk2LC04MywtODksLTEwNSwtNTAsOTksLTY1LC05MSwzOCwyNSwzNCwtNDUsOTcsLTgwLC02NSw2Nyw2OSwtNTgsMTE4LC03NSwtNzEsLTEyMiwtNTUsMTAsODQsLTkyLC01NywtMTIzLDExNiwzLC04OCwtOTcsLTcwLC0zMSwtNTIsLTc5LC01OCw0MywtMjAsLTcwLC0yOSwxNCwtMjIsNTksMTAxLDEwNiwtMTMsOTksNTEsLTc5LC04Miw0LC04NCwtNDUsLTg0LDQ0LDEwNCwtNjYsODQsLTM0LC00OCw1MCwxNiwxMTAsLTEyNCwtMzYsLTUzLDk5LDgsLTYzLDEwOSwyMSwtMSwtNzksLTcyLC0xMjAsMjMsLTEsLTExNiw4MiwyNyw4NCw0NCw4OCwtNzIsMTExLDU5LC0xMjQsNTEsMTA0LC0yNCwtOTMsLTEyNCwtNTIsMjQsLTg3LDg2LC04NiwtMzEsMzAsLTg5LC00OSwtNTQsLTIxLDg5LC0xMTEsMjksLTcwLC01NCwtOCwtOTYsMzAsLTIxLC0xMTYsNDYsLTIsLTIxLDUsOTgsODcsODUsMTE1LDQ3LDExOCw1MywtODUsLTI5LC0xMDYsMzcsNzUsLTYyLC01MiwtMTE0LC0zMCwyMCwtMTAwLC03NywtNzYsNzIsODIsLTg3LC0xMjQsLTgzLC0zOCw4MiwzLDM4LC0zOCwtOTgsLTEwMCw3MiwtNzcsLTUwLDgxLDUyLC02MCwtMTE0LC0xMTEsLTYzLDQwLDQ5LDUyLDUyLC00NCwxMTUsLTgyLDkxLDU2LC0xMDIsLTk3LDYsMjksMTI1LC0xOSwtMzQsLTEwLC05NiwtMTI2LDExOSwtMTEyLC04OSw0LDgzLC04NCw3MywtMTEsLTEwMiwtMTExLDQ0LC0xMjIsLTg3LDgwLC04MSwtMTQsLTExNCwtMTIwLC01MiwzNSwzMSwxMTMsLTM2LDMyLDM5LDExNyw1Miw5OCwtMTI3LC05MCw4MiwxNSwtMTI2LC02NCwtMjIsODIsLTY1LC00OCwtOTMsMTI2LDMzLDExMCwtNjQsLTQyLC0xMjUsNjksLTUxLC04MiwtMTIzLC0xMjQsLTc2LDcxLC05MSwtNjgsMTksMTA4LDg0LC0xNywtMzQsOTcsLTEwOCwxMjEsMTA2LDc0LDIxLDIxLDM2LC0xMjEsLTExNiwtMTE5LC0xMDksMTMsNjUsLTQ4LDI0LC0yNCwtMTIwLDE2LDI2LC0xMCwxNSwzLDY4XSwibWF0ZXJpYWxTZXRTZXJpYWxOdW1iZXIiOjEsIml2UGFyYW1ldGVyU3BlYyI6eyJpdiI6WzcwLC05MiwzMSwtMjQsLTM2LDExMSwtNzcsLTY3LC01Nyw4MiwtMTIyLC0xMTIsMTcsNjQsMzIsMF19fQ==", + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/data/placebo/test_config_rule_remediation/config.DescribeConfigRules_3.json b/tests/data/placebo/test_config_rule_remediation/config.DescribeConfigRules_3.json new file mode 100644 index 00000000000..dd8e6b55299 --- /dev/null +++ b/tests/data/placebo/test_config_rule_remediation/config.DescribeConfigRules_3.json @@ -0,0 +1,463 @@ +{ + "status_code": 200, + "data": { + "ConfigRules": [ + { + "ConfigRuleName": "custodian-config-custom-elasticache-encryption-in-tran-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-yoizwa", + "ConfigRuleId": "config-rule-yoizwa", + "Description": "This policy will flag if Redis ElastiCache running unencrypted InTransit, since Redis can ben encrypted policy will check if the encryption InTransit attribute for Redis is enabled.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-elasticache-encryption-in-tran-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-elasticache-nonvpc-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-mjyxy0", + "ConfigRuleId": "config-rule-mjyxy0", + "Description": "Policy will flag if any Redis/Memcached ElastiCache clusters are running without VPC associated to its nodes.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-elasticache-nonvpc-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-elb-logging-check-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-jtv0d0", + "ConfigRuleId": "config-rule-jtv0d0", + "Description": "Policy checks ELB SECURITY LOGGING Attributes for lynx-t003-/aws/elb, if enabled is true then report to ACP as compliance.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-elb-logging-check-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-elb-tls-acp-event", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-a309in", + "ConfigRuleId": "config-rule-a309in", + "Description": "ACP notification for any unsupported TLS version on ELB\n", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::ElasticLoadBalancing::LoadBalancer" + ] + }, + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-elb-tls-acp-event", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ConfigurationItemChangeNotification" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-emr-nonvpc-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-2jpkyb", + "ConfigRuleId": "config-rule-2jpkyb", + "Description": "Check's if EMR Cluster nodes are created in VPC or 'Launch into EC2 Classic'.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-emr-nonvpc-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-emr-public-subnet-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-wiy6zh", + "ConfigRuleId": "config-rule-wiy6zh", + "Description": "ACP policy to detect if EMR instance is hosted in subnet which has a route to internet gateway. \n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-emr-public-subnet-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-iam-group-kms-decrypt-policy-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-nln6po", + "ConfigRuleId": "config-rule-nln6po", + "Description": "Periodic config rule for IAM groups where AWS IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-iam-group-kms-decrypt-policy-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-iam-role-kms-decrypt-policy-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-1bktjk", + "ConfigRuleId": "config-rule-1bktjk", + "Description": "Periodic config rule for IAM roles where AWS IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-iam-role-kms-decrypt-policy-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-iam-user-kms-decrypt-policy-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-aedwiw", + "ConfigRuleId": "config-rule-aedwiw", + "Description": "Periodic config rule for IAM users where AWS IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-iam-user-kms-decrypt-policy-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-instance-profile-no-policy-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-fcslhd", + "ConfigRuleId": "config-rule-fcslhd", + "Description": "Periodic config rule for any EC2 instances with instance profile having a role but NO intuit SSM custom managed policy attached\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-instance-profile-no-policy-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-lambda-in-vpc-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-lgdzog", + "ConfigRuleId": "config-rule-lgdzog", + "Description": "A daily ACP policy will check if Lambdas are deployed within a VPC or not we are filtering out all lambda whose name starts from custodian, agi, chapi, chaplette or chp.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-lambda-in-vpc-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-lambda-in-vpc-three-az-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-j2lhqi", + "ConfigRuleId": "config-rule-j2lhqi", + "Description": "A daily ACP policy report lambda functions which are in a vpc as compliant if they have 3 subnets across 3 AZs. We are not filtering out lambda name starts from custodian, agi, chapi, chaplette or chp\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-lambda-in-vpc-three-az-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-msk-cluster-inrest-check-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-xrcfdy", + "ConfigRuleId": "config-rule-xrcfdy", + "Description": "DH.004.19 MSK Cluster should be encrypted at in-rest. ACP policy will need to detect that encryption at rest is enabled.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-msk-cluster-inrest-check-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-msk-cluster-ptpb-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-2bf4vh", + "ConfigRuleId": "config-rule-2bf4vh", + "Description": "IS.048.2 MSK Cluster has to be enabled with PER_TOPIC_PER_BROKER monitoring setting. Note: Enhanced metrics are available for an additional cost.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-msk-cluster-ptpb-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-msk-cluster-tls-check-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-phuoyp", + "ConfigRuleId": "config-rule-phuoyp", + "Description": "IS.031.20 MSK Cluster should be encrypted over HTTPS using TLS conditions. ACP policy will need to detect that both client cert authentication and encryption in transit between clients and brokers is enabled.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-msk-cluster-tls-check-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-neptcl-deleteprotect-remediate-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-e6gnxd", + "ConfigRuleId": "config-rule-e6gnxd", + "Description": "ACP Remediation for Neptune DB Clusters to Enable \"Deletion Protection\". PEC Keys: IS003.13-SHBEST_1.0.0_RDS.7-1.0.0\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-neptcl-deleteprotect-remediate-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-neptune-ssl-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-xcv3u9", + "ConfigRuleId": "config-rule-xcv3u9", + "Description": "ACP alert to detect if any neptune db clusters have SSL disabled\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-neptune-ssl-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-nlb-logging-check-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-9cic9w", + "ConfigRuleId": "config-rule-9cic9w", + "Description": "Policy checks NLB SECURITY LOGGING Attributes for lynx-t059-/nlb, if enabled is true then report to ACP as compliance.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-nlb-logging-check-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-r53hostedzone-logging-check-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-oafk10", + "ConfigRuleId": "config-rule-oafk10", + "Description": "Policy checks R53 public HostedZone Query LOGGING Attributes for arn:aws:logs:us-east-1:644160558196:destination:r53query-log-destination-644160558196, if enabled as expected, it is true then report to ACP as compliance.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-r53hostedzone-logging-check-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-rds-aurora-encr-in-transit-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-axovyt", + "ConfigRuleId": "config-rule-axovyt", + "Description": "ACP policy to detect if an Aurora mysql or postgres RDS cluster has in-transit encryption configured\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-rds-aurora-encr-in-transit-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-rds-encr-in-transit-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-s1n1q5", + "ConfigRuleId": "config-rule-s1n1q5", + "Description": "ACP policy to detect if an RDS instance has in-transit encryption configured\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-rds-encr-in-transit-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-rds-proxy-tls-check-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-gfqs3z", + "ConfigRuleId": "config-rule-gfqs3z", + "Description": "IS.031.22 RDS Proxies should be enabled or configured with RequireTLS == true. ACP policy will need to check, if RDS Proxies arer enabled for TLS check.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-rds-proxy-tls-check-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-rds-public-subnet-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-3vopea", + "ConfigRuleId": "config-rule-3vopea", + "Description": "ACP policy to detect if RDS instance is hosted in subnet which has a route to internet gateway or nat-gateway. \n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-rds-public-subnet-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-rds-snapshot-unused-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-uztxjc", + "ConfigRuleId": "config-rule-uztxjc", + "Description": "\"AP001-1.0.5 SubControl: AP001.9\" - ACP policy to detect when RDS Snapshot over 30 days exist.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-rds-snapshot-unused-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-rds-unused-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-wtlghd", + "ConfigRuleId": "config-rule-wtlghd", + "Description": "CLOP-7356 - ACP policy to detect RDS without connections over 30 days. ACP Sub Control: AP.001.9\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-rds-unused-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + } + ], + "NextToken": "eyJlbmNyeXB0ZWREYXRhIjpbOTgsNzksLTEyNSwtMTEyLDc4LC0zMSwtNTUsNDUsLTUsLTc2LDE5LC04LDkzLDQ2LC00OCw4MCwxMTMsLTYxLC04MywyLDcsLTk1LC05NCw2MSwtODMsMjUsLTEyMiwtMjgsLTg4LC0zOSw2Myw2NiwtMTIzLC02OSwtMSw5MiwtNjQsMzgsNzEsLTM4LC04MSw5OCwtNjQsLTI0LDEwMyw3OCwtMjgsMzcsLTczLDIyLC02MSwtMzUsLTM1LDEzLDUwLC0xMTgsMzAsMTEzLC0xMTksLTk4LDY0LC05Niw4NiwtMTE2LDkzLDc3LDc1LDM2LDYxLC02NCwtNTcsLTEyMCw4MCwtMTksMzYsLTM3LDU5LC0xMDQsLTEwLC00MiwtNzgsNDksODYsNDgsNjUsMTEwLDYwLC02NywxNywtMTcsNCwxMjEsLTQ5LC04MiwxMDAsMTE5LC04MSwtNTIsLTQ0LDUyLC01OCwtODEsLTUsLTcsMTIyLDczLDEyMSw5NCwtMjUsLTc2LC01MSwxMDMsMSw4NCwtNjEsNjMsLTI1LDE1LDExLC0zLDY5LC00OSwtNzYsMTE0LC0xMDQsLTE0LC0xNiw5NSwxMSwxMyw2MiwzOSwtNTksNzQsNjcsMzIsMjEsLTQ0LC0xMTYsNDcsLTYwLC0xMTgsNzIsLTE1LDExNiwxOSwtNDQsLTUwLC04Nyw4Nyw1LDY3LDExMCwtNTgsLTM0LDMxLC0yNSwtMzksLTMxLC0zMywxNiwtMTI2LC02LC0xMTcsNjMsNDksLTQzLC03OCwzMSwtNDAsMSwtMjIsNDMsOTUsODAsMTI1LC05NiwtNzYsODQsNjMsLTEwNyw4MSwtOSwxMTAsNzIsMzcsMTA2LC01NiwtNTcsMSwtNzcsNCw2NSw1NSwtNDEsLTY4LC0zMywtMzgsLTE0LC00MywtMzcsODEsNzgsMzcsODgsLTk2LDI3LC02Nyw1NSwxNiwtMTcsMjAsMTIzLC04LDEwLDQyLDkyLC00NCwtMTI4LC01NCwzMCwtMTEwLDEyMywxMDksOSwxMDksLTExMCwxMjYsNzQsNTcsNjksOTgsMjIsLTU0LDM4LDg2LDExMywtMTI1LDExMCw0NywtOV0sIm1hdGVyaWFsU2V0U2VyaWFsTnVtYmVyIjoxLCJpdlBhcmFtZXRlclNwZWMiOnsiaXYiOlstMTA3LDgzLDksLTM5LC01MCwtMTA2LC0xMCwyOSw0MSw0OCwtMTIzLDEwNSwtNjMsMTAsNTIsLTUxXX19", + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/data/placebo/test_config_rule_remediation/config.DescribeConfigRules_4.json b/tests/data/placebo/test_config_rule_remediation/config.DescribeConfigRules_4.json new file mode 100644 index 00000000000..02f899d2ecd --- /dev/null +++ b/tests/data/placebo/test_config_rule_remediation/config.DescribeConfigRules_4.json @@ -0,0 +1,475 @@ +{ + "status_code": 200, + "data": { + "ConfigRules": [ + { + "ConfigRuleName": "custodian-config-custom-rdsclus-aurora-connection-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-rv7khs", + "ConfigRuleId": "config-rule-rv7khs", + "Description": "ACP Remediation to detects when an RDS Cluster (Aurora) hasn't had a DB connection for 30 days. PEC Keys: ACP Sub-Control:AP.001.10\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-rdsclus-aurora-connection-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-rdsclus-deleteprotect-remediate-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-njhgq1", + "ConfigRuleId": "config-rule-njhgq1", + "Description": "ACP Remediation for RDS DBClusters to Enable \"Deletion Protection\". PEC Keys: IS003.13-SHBEST_1.0.0_RDS.7-1.0.0\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-rdsclus-deleteprotect-remediate-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-rdscluster-maz-check-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-p0z12n", + "ConfigRuleId": "config-rule-p0z12n", + "Description": "BC.005.3 RDS Cluster should be configured to span multiple AZs. ACP policy will need to check if RDS Aurora DB Clusters are deployed across at least 2 AZs.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-rdscluster-maz-check-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-rdsinst-deleteprotect-remediate-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-izatqh", + "ConfigRuleId": "config-rule-izatqh", + "Description": "ACP Remediation for RDS DBInstances to Enable \"Deletion Protection\". PEC Keys: IS003.12-SHBEST_1.0.0_RDS.8-1.0.0\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-rdsinst-deleteprotect-remediate-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-redshift-snapshot-unencrypted-acp-event", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-n4o06k", + "ConfigRuleId": "config-rule-n4o06k", + "Description": "ACP notification for unencrypted redshift snapshot.\n", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::Redshift::ClusterSnapshot" + ] + }, + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-redshift-snapshot-unencrypted-acp-event", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ConfigurationItemChangeNotification" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-redshift-unused-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-5o8sof", + "ConfigRuleId": "config-rule-5o8sof", + "Description": "Checks for Redshift Clusters which have not had a connection within 30 days and reports \n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-redshift-unused-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-s3-bucket-delete-r53-remediate-event", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-qrthrr", + "ConfigRuleId": "config-rule-qrthrr", + "Description": "Removes route53 resource record associated with an S3 bucket when the bucket it deleted\n", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::S3::Bucket" + ] + }, + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-s3-bucket-delete-r53-remediate-event", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ConfigurationItemChangeNotification" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-s3-unencrypted-acp-event", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-zxqbr5", + "ConfigRuleId": "config-rule-zxqbr5", + "Description": "Check if S3 bucket is encrypted or not at rest.\n", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::S3::Bucket" + ] + }, + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-s3-unencrypted-acp-event", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ConfigurationItemChangeNotification" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-sagemaker-nbinrest-check-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-o8msqf", + "ConfigRuleId": "config-rule-o8msqf", + "Description": "DH.004.12 Sagemaker Notebooks should be encrypted at rest. ACP policy will need to detect when Sagemaker notebook data is not encrypted at rest and report.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-sagemaker-nbinrest-check-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-sagemaker-nonvpc-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-rsgnkw", + "ConfigRuleId": "config-rule-rsgnkw", + "Description": "Notify if sagemaker notebook is created outside VPC", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-sagemaker-nonvpc-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-sg-non-intuit-ingress-acp-event", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-b3ulsq", + "ConfigRuleId": "config-rule-b3ulsq", + "Description": "Detect non-intuit CIDRs/IPs, non-internal, non-route53 healthchecks ingress rules from the security group and report.\n", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::EC2::SecurityGroup" + ] + }, + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-sg-non-intuit-ingress-acp-event", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ConfigurationItemChangeNotification" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-sg-non-intuit-ingress-remediate-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-5zxf5k", + "ConfigRuleId": "config-rule-5zxf5k", + "Description": "Detect non-intuit CIDRs/EIPs, non-internal, non-route53 healthchecks ingress rules from the security group and remediate.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-sg-non-intuit-ingress-remediate-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-sg-non-intuit-ingress-remediate-event", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-hxbchs", + "ConfigRuleId": "config-rule-hxbchs", + "Description": "Detect non-intuit CIDRs/EIPs, non-internal, non-route53 healthchecks ingress rules from the security group and remediate.\n", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::EC2::SecurityGroup" + ] + }, + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-sg-non-intuit-ingress-remediate-event", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ConfigurationItemChangeNotification" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-sg-public-http-https-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-m3f2nf", + "ConfigRuleId": "config-rule-m3f2nf", + "Description": "Detects any 0.0.0.0/0 ingress rules allowing only ports 80 or 443 inbound\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-sg-public-http-https-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-sg-public-not-http-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-sfu4vj", + "ConfigRuleId": "config-rule-sfu4vj", + "Description": "Detects any 0.0.0.0/0 ingress rules allowing ports other than 80 or 443 inbound\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-sg-public-not-http-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-sns-topics-tls-check-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-srao7l", + "ConfigRuleId": "config-rule-srao7l", + "Description": "IS.031.19 SNS topics should be encrypted over HTTPS using aws:SecureTransport condition. ACP policy checks for AWS SNS Topics should use SSL trasaction overr HTTPS.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-sns-topics-tls-check-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-sqs-inrest-encrypt-check-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-zu33mb", + "ConfigRuleId": "config-rule-zu33mb", + "Description": "DH.004.18 SQS in-rest encryption check on all SQS queue. ACP policy checks for AWS SQS queues that are not encrypted at rest.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-sqs-inrest-encrypt-check-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-sqs-queue-tls-check-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-4z1swo", + "ConfigRuleId": "config-rule-4z1swo", + "Description": "IS.031.18 SQS queue should be encrypted over HTTPS using aws:SecureTransport condition. ACP policy checks for AWS SQS queues should use SSL trasaction overr HTTPS.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-sqs-queue-tls-check-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-vpc-endpoint-dynamodb-enabled-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-tkkyr1", + "ConfigRuleId": "config-rule-tkkyr1", + "Description": "Check if all vpcs have dynamodb endpoints for traffic to remian private.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-vpc-endpoint-dynamodb-enabled-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-vpc-endpoint-s3-enabled-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-vbsenf", + "ConfigRuleId": "config-rule-vbsenf", + "Description": "Check if all vpcs have s3 endpoints for traffic to remian private.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-vpc-endpoint-s3-enabled-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-custom-vpc-flowlog-enabled-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-izszzw", + "ConfigRuleId": "config-rule-izszzw", + "Description": "Check if vpc flow log is enabled for all traffic and with s3 bucket as destination.\n", + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:custodian-config-custom-vpc-flowlog-enabled-acp-daily", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ScheduledNotification", + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + ] + }, + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-managed-redshift-SSL-parameter-check-acp-daily", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-e76c1t", + "ConfigRuleId": "config-rule-e76c1t", + "Description": "ACP alert for redshift clusters where SSL parameter is set to false\n", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::Redshift::Cluster" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "REDSHIFT_REQUIRE_TLS_SSL" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-managed-redshift-unencrypted-acp-event", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-fvwp5r", + "ConfigRuleId": "config-rule-fvwp5r", + "Description": "Check whether Amazon Redshift clusters have the specified settings.\n", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::Redshift::Cluster" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "REDSHIFT_CLUSTER_CONFIGURATION_CHECK" + }, + "InputParameters": "{\"clusterDbEncrypted\" : \"true\", \"loggingEnabled\" : \"true\"}", + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-managed-s3-bucket-public-read-remediate-event", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-6spaxq", + "ConfigRuleId": "config-rule-6spaxq", + "Description": "This policy detects if S3 bucket allows public read by the bucket policy or ACL and remediates.\n", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::S3::Bucket" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "S3_BUCKET_PUBLIC_READ_PROHIBITED" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE" + }, + { + "ConfigRuleName": "custodian-config-managed-s3-bucket-public-write-remediate-event", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-xmyrtr", + "ConfigRuleId": "config-rule-xmyrtr", + "Description": "cloud-custodian AWS Config Managed Rule policy", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::S3::Bucket" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "S3_BUCKET_PUBLIC_WRITE_PROHIBITED" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE" + } + ], + "NextToken": "eyJlbmNyeXB0ZWREYXRhIjpbOTQsNzgsMTA2LC04NSwtNjgsLTgyLDkwLC0xNiwtNzAsLTMzLDEsMjAsMTAyLC05MywtNzYsMyw2OSwxMyw1NSwxNCwyNiwtMTYsLTExMiw3NCw1OCw2OCwtMTE1LC00MywtMzYsLTcyLC05MiwzMiw5MSwtNDgsLTc0LC01Myw4LC03NiwtODQsLTEyMCw4NSw3OSwtMTAxLC00OCwyNCw2NywtNDgsMTAzLC0xNywtNDYsNjgsLTQ4LC0zNSwtMTA1LC03NiwyMCwxMTcsMTA1LC02OSwtNTUsLTk0LC0xMjIsMzksLTg0LC01NywtNDIsLTU5LDk4LC01NywtMTA5LDIyLDUzLC0xMTcsLTI0LDEwOSwtNzcsMTE4LDQ1LDI2LC00OCwtNjUsNTAsLTgyLDE5LDEyLC0xMTQsMTE2LDcwLC0xNSwtNTIsODIsLTY0LC04NCwtNiw5NCw2NCwxMjQsMTA2LC05LDg4LC0xMjQsLTIwLDY0LC03LDM3LC0xOCwtNzQsLTMsLTc2LDg3LC0zLDExMSwtMzIsLTg1LDQxLDI5LDcsNTEsNTMsLTEyMSwtOTAsMTUsLTExNiw3Myw3OSwtNDMsLTI1LDYsLTQ4LDQ3LDQ4LDUyLC04MSwtOTQsLTExNiwtNzgsLTgxLDg2LC03NywtNTAsODcsLTE0LC0yLC00OCwtMTI4LC04MywyMiwtNzEsLTk2LDY1LDcwLDE0LC04MSwxMTIsLTM1LC01Nyw4NCwtMTcsMjYsLTEwNiwxMDUsNjcsOTUsNDAsLTM2LC02Niw4NCwtNDIsLTg5LC0xMjQsNDIsLTMsLTEwNiwtNiw2NywtMTAwLDk5LDY1LDg5LDExLDEwMiw3OCw1OSwtMTIsNDcsMTE1LC03NCw4OSwtNTEsNDQsMTE0LC00MCwtMzgsMzAsNyw3OSwtNzAsLTk2LDY1LC00LDEsNDUsLTc4LC04MCwtMTUsODcsLTI5LDM0LC05MywzNywtOSwtNzQsMTE4LDcyLC0yLDk0LC02LC0xMjIsLTc1LC0xMjYsNjYsLTk3LDEyMiwtODYsNjQsLTEwMSwtNTMsNTgsOTYsLTE3LC00MSwtOTEsLTEwLDgyLC0xMjcsMiwtNDgsLTQ3LDc3LDgsNzQsMCwxMDUsLTEwMSwtMjUsLTEyNSwtMTEwLDI1LC0xMjEsLTkwLDg4LC01LDY5LDU2LC0xMDYsLTUsNTEsLTQ0LDk2LC0xMTBdLCJtYXRlcmlhbFNldFNlcmlhbE51bWJlciI6MSwiaXZQYXJhbWV0ZXJTcGVjIjp7Iml2IjpbLTEyNiw3OCwtNzMsLTEyNCwtMTA0LDEwNywtMTIyLC0yOCwtMzcsODEsLTczLDEyNCw0OSw2MSwtNDYsLTgwXX19", + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/data/placebo/test_config_rule_remediation/config.DescribeConfigRules_5.json b/tests/data/placebo/test_config_rule_remediation/config.DescribeConfigRules_5.json new file mode 100644 index 00000000000..1180416e7cc --- /dev/null +++ b/tests/data/placebo/test_config_rule_remediation/config.DescribeConfigRules_5.json @@ -0,0 +1,442 @@ +{ + "status_code": 200, + "data": { + "ConfigRules": [ + { + "ConfigRuleName": "securityhub-access-keys-rotated-f26d3a50", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-qr3xdv", + "ConfigRuleId": "config-rule-qr3xdv", + "Description": "Checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge", + "Scope": { + "ComplianceResourceTypes": [] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "ACCESS_KEYS_ROTATED" + }, + "InputParameters": "{\"maxAccessKeyAge\":\"90\"}", + "MaximumExecutionFrequency": "Twelve_Hours", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-alb-http-to-https-redirection-check-38d2ccc5", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-wcliqa", + "ConfigRuleId": "config-rule-wcliqa", + "Description": "Checks whether HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancers. The rule is NON_COMPLIANT if one or more HTTP listeners of Application Load Balancers do not have HTTP to HTTPS redirection configured.", + "Scope": { + "ComplianceResourceTypes": [] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK" + }, + "InputParameters": "{}", + "MaximumExecutionFrequency": "Twelve_Hours", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-api-gw-cache-encrypted-87f8820d", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-sbxxle", + "ConfigRuleId": "config-rule-sbxxle", + "Description": "This control checks whether all methods in Amazon API Gateway REST API stages that have cache enabled are encrypted. The control fails if any method in API Gateway REST API stage is configured to cache and the cache is not encrypted.", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::ApiGateway::Stage" + ] + }, + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:SecurityHubConfigRule", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ConfigurationItemChangeNotification" + } + ] + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-api-gw-ssl-enabled-63dc8c41", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-yr81mc", + "ConfigRuleId": "config-rule-yr81mc", + "Description": "Checks if a REST API stage uses an Secure Sockets Layer (SSL) certificate. This rule is NON_COMPLIANT if the REST API stage does not have an associated SSL certificate.", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "API_GW_SSL_ENABLED" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-autoscaling-group-elb-healthcheck-required-2d5a6ad0", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-iadvuh", + "ConfigRuleId": "config-rule-iadvuh", + "Description": "Checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::AutoScaling::AutoScalingGroup" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-beanstalk-enhanced-health-reporting-enabled-3cd8fabc", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-pofqbn", + "ConfigRuleId": "config-rule-pofqbn", + "Description": "Checks for Elastic Beanstalk environment is configured for 'enhanced' health reporting and NON_COMPLIANT if configured for 'basic' health reporting.", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "BEANSTALK_ENHANCED_HEALTH_REPORTING_ENABLED" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-cloudfront-default-root-object-configured-5f819e3d", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-o8s9vi", + "ConfigRuleId": "config-rule-o8s9vi", + "Description": "Checks if an Amazon CloudFront distribution is configured to return a specific object that is the default root object. The rule is NON_COMPLIANT if CloudFront distribution does not have a default root object configured.", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "CLOUDFRONT_DEFAULT_ROOT_OBJECT_CONFIGURED" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-cloudfront-origin-access-identity-enabled-29ec54cd", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-i2sjag", + "ConfigRuleId": "config-rule-i2sjag", + "Description": "Checks that Amazon CloudFront distribution with Amazon S3 Origin type has Origin Access Identity (OAI) configured.", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "CLOUDFRONT_ORIGIN_ACCESS_IDENTITY_ENABLED" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-cmk-backing-key-rotation-enabled-9f83d77c", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-vc6n5v", + "ConfigRuleId": "config-rule-vc6n5v", + "Description": "Checks that key rotation is enabled for customer created customer master key (CMK)", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::KMS::Key" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "CMK_BACKING_KEY_ROTATION_ENABLED" + }, + "InputParameters": "{}", + "MaximumExecutionFrequency": "Twelve_Hours", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-codebuild-project-envvar-awscred-check-8b50af67", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-mu7n4n", + "ConfigRuleId": "config-rule-mu7n4n", + "Description": "Checks whether the project contains environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::CodeBuild::Project" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-codebuild-project-source-repo-url-check-47c85a11", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-oxcp7f", + "ConfigRuleId": "config-rule-oxcp7f", + "Description": "Checks whether the GitHub or Bitbucket source repository URL contains either personal access tokens or user name and password.", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::CodeBuild::Project" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-dax-encryption-enabled-d2bb4e30", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-biwg1z", + "ConfigRuleId": "config-rule-biwg1z", + "Description": "Checks that DynamoDB Accelerator (DAX) clusters are encrypted. The rule is NON_COMPLIANT if a DAX cluster is not encrypted.", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "DAX_ENCRYPTION_ENABLED" + }, + "InputParameters": "{}", + "MaximumExecutionFrequency": "Twelve_Hours", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-dms-replication-not-public-ae5ec4a0", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-hduivd", + "ConfigRuleId": "config-rule-hduivd", + "Description": "Checks whether AWS Database Migration Service replication instances are public. The rule is NON_COMPLIANT if PubliclyAccessible field is true.", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::DMS::ReplicationInstance" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "DMS_REPLICATION_NOT_PUBLIC" + }, + "InputParameters": "{}", + "MaximumExecutionFrequency": "Twelve_Hours", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-dynamodb-pitr-enabled-f66363e6", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-wmavit", + "ConfigRuleId": "config-rule-wmavit", + "Description": "Checks that point in time recovery (PITR) is enabled for Amazon DynamoDB tables. The rule is NON_COMPLIANT if point in time recovery is not enabled for Amazon DynamoDB tables", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "DYNAMODB_PITR_ENABLED" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-ec2-ebs-encryption-by-default-f75d5eaf", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-org9vk", + "ConfigRuleId": "config-rule-org9vk", + "Description": "Checks that Amazon Elastic Block Store (EBS) encryption is enabled by default. The rule is NON_COMPLIANT if the encryption is not enabled.", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "EC2_EBS_ENCRYPTION_BY_DEFAULT" + }, + "InputParameters": "{}", + "MaximumExecutionFrequency": "Twelve_Hours", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-ec2-imdsv2-check-2c4bae6e", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-uhgi3k", + "ConfigRuleId": "config-rule-uhgi3k", + "Description": "Checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2).", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "EC2_IMDSV2_CHECK" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-ec2-stopped-instance-c7e6e42b", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-scmmhs", + "ConfigRuleId": "config-rule-scmmhs", + "Description": "Checks whether there are instances stopped for more than the allowed number of days.", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "EC2_STOPPED_INSTANCE" + }, + "InputParameters": "{\"AllowedDays\":\"30\"}", + "MaximumExecutionFrequency": "Twelve_Hours", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-ecs-service-assign-public-ip-disabled-7c70554d", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-vsbkcy", + "ConfigRuleId": "config-rule-vsbkcy", + "Description": "This control checks whether ECS services are configured to automatically assign public IP addresses. This control fails if AssignPublicIP is ENABLED.", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::ECS::Service" + ] + }, + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:SecurityHubConfigRule", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ConfigurationItemChangeNotification" + } + ] + }, + "InputParameters": "{\"version\":\"1.1\"}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-ecs-task-definition-user-for-host-mode-check-ca820c41", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-3on5qw", + "ConfigRuleId": "config-rule-3on5qw", + "Description": "This control checks if an Amazon ECS Task Definition with host networking mode has \"privileged\" or \"user\" container definitions. The control fails with host network mode and container definitions are privileged=false or empty and user=root or empty.", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "ECS_TASK_DEFINITION_USER_FOR_HOST_MODE_CHECK" + }, + "InputParameters": "{\"SkipInactiveTaskDefinitions\":\"true\"}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-efs-encrypted-check-20daaceb", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-3pfrel", + "ConfigRuleId": "config-rule-3pfrel", + "Description": "Elastic File System should be configured to encrypt file data at-rest using AWS KMS.", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::EFS::FileSystem" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "EFS_ENCRYPTED_CHECK" + }, + "InputParameters": "{}", + "MaximumExecutionFrequency": "Twelve_Hours", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-eip-attached-97f76f9b", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-anwexf", + "ConfigRuleId": "config-rule-anwexf", + "Description": "Checks whether all Elastic IP addresses that are allocated to a VPC are attached to EC2 instances or in-use elastic network interfaces (ENIs).", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::EC2::EIP" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "EIP_ATTACHED" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-elastic-beanstalk-managed-updates-enabled-e959c118", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-b0iwkp", + "ConfigRuleId": "config-rule-b0iwkp", + "Description": "Checks if managed platform updates in an AWS Elastic Beanstalk environment is enabled. The rule is NON_COMPLIANT if the value for \u2018ManagedActionsEnabled\u2019 is set to false or if a parameter is provided whose value does not match the existing configurations.", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "ELASTIC_BEANSTALK_MANAGED_UPDATES_ENABLED" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-elasticsearch-audit-logging-enabled-f5fa2de9", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-xqhsdr", + "ConfigRuleId": "config-rule-xqhsdr", + "Description": "This control checks whether Elasticsearch domains have audit logging enabled. This control fails if an Elasticsearch domain does not have audit logging enabled.", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::Elasticsearch::Domain" + ] + }, + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:SecurityHubConfigRule", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ConfigurationItemChangeNotification" + } + ] + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-elasticsearch-encrypted-at-rest-d1570b05", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-fakvzq", + "ConfigRuleId": "config-rule-fakvzq", + "Description": "Checks whether Elasticsearch domains have encryption at rest configuration enabled.", + "Scope": { + "ComplianceResourceTypes": [] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "ELASTICSEARCH_ENCRYPTED_AT_REST" + }, + "InputParameters": "{}", + "MaximumExecutionFrequency": "Twelve_Hours", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-elasticsearch-https-required-a3fe1b06", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-eyceff", + "ConfigRuleId": "config-rule-eyceff", + "Description": "This control checks whether connections to Elasticsearch domains are required to use TLS 1.2. The check fails if the Elasticsearch domain TLSSecurityPolicy is not Policy-Min-TLS-1-2-2019-07.", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::Elasticsearch::Domain" + ] + }, + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:SecurityHubConfigRule", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ConfigurationItemChangeNotification" + } + ] + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + } + ], + "NextToken": "eyJlbmNyeXB0ZWREYXRhIjpbOSwtNTgsLTEyNywtOTAsMjQsLTEwMiwtMTgsOTIsOTUsOCwtNCwtNDYsMTIsLTk5LDMxLC0xMjYsNjEsLTE2LC05OCwyMiwtNDksMTExLC03MiwtMTI2LDEyNywtMTksLTM4LC0xMTEsODQsLTEyNCwtMTA2LC0yNiwxOSwtNDcsODksLTk3LDUsMTIwLDExNSw3MiwxMjMsNTEsMTE2LC0xMDQsNjUsLTExOCw5OSw2NywtNzAsLTEwNCwzLC03MSw3LC01LDEwOSwyNCwtNzcsLTIxLC0xNSwxMDIsODAsMTE3LC0xMDAsNjksMzAsLTQ5LC01LC00OSwtMzAsLTEsLTMyLDYwLC0xMDIsMTI3LDIxLC0xMTcsMzcsMTE0LDEwNiwzMiwtODAsLTEwNSwtOTMsLTY0LDEyNiwxMDYsODIsODQsNzIsLTEwNiw1NSw0MywxMDMsLTE1LDY1LC01MywtNzQsLTExNSwxMDgsNzgsLTExNiwtNTcsNDgsLTExMCw3OSwyNCwxMDAsLTEyMCwtOTYsLTczLC0zMiwtMTEyLC0xMywtMzgsNzgsLTg5LC04NCwtODEsOTMsMjIsMTE5LC02NywtODcsLTMzLC0xMjcsLTY2LC03NCw1MCw3LC05MiwyMiwtNjMsLTEwOSwxMjEsMTExLC04MCw1MSwtMTIzLDQ3LC03MiwyMywtODksMTQsLTEyNiw0NywxMTYsLTEyNiw3NCwtOTUsLTY1LDI1LC0yMywtNjYsNzQsNjksOTYsMyw3NSwxMDUsLTg1LC03NywxMjUsMzUsLTk2LDksLTEyNSwtMTcsLTExMCw4MiwtMzAsLTkwLC03NywtOTEsOTksMTA4LDEsLTY2LC05NiwtMTA3LC02NiwtNjcsNSw3NSwxMjUsLTEyNSw5OSw2LC01Myw1LC0zNCwtNDQsLTMwLC04LC01MSwtMTAwLDExOCwtMTEzLC0zMSwtMTA2LDIyLDI0LC03OCwtNjQsLTc3LC01MCwxMDEsLTU3LC0xMTksLTY2LDgzLDI0LC0xMjQsLTYwLC03NywxMDUsMTIxLDM2LDY1LDExNywtNTEsLTEwMSwyOCw3LC0zNywyNywtMTE4LDExNCwxMTAsLTEwMiw1LDc4LC03OSwtODIsNjIsLTU0LDc1LC0xMTcsNTYsMjksLTEwNSw1NywtMzMsMTIzLC0zOCwtNDIsNzNdLCJtYXRlcmlhbFNldFNlcmlhbE51bWJlciI6MSwiaXZQYXJhbWV0ZXJTcGVjIjp7Iml2IjpbLTQ3LDEyNywtNCwtODQsNiwtODIsMzIsNTUsLTIsMzgsMzUsMTIsODUsLTg5LC0yNCwxMTFdfX0=", + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/data/placebo/test_config_rule_remediation/config.DescribeConfigRules_6.json b/tests/data/placebo/test_config_rule_remediation/config.DescribeConfigRules_6.json new file mode 100644 index 00000000000..25fcd5217f3 --- /dev/null +++ b/tests/data/placebo/test_config_rule_remediation/config.DescribeConfigRules_6.json @@ -0,0 +1,444 @@ +{ + "status_code": 200, + "data": { + "ConfigRules": [ + { + "ConfigRuleName": "securityhub-elasticsearch-in-vpc-only-77e11694", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-v8y0lr", + "ConfigRuleId": "config-rule-v8y0lr", + "Description": "Checks whether Elasticsearch domains are in Amazon Virtual Private Cloud (Amazon VPC).", + "Scope": { + "ComplianceResourceTypes": [] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "ELASTICSEARCH_IN_VPC_ONLY" + }, + "InputParameters": "{}", + "MaximumExecutionFrequency": "Twelve_Hours", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-elasticsearch-logs-to-cloudwatch-46f639b8", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-ipyx42", + "ConfigRuleId": "config-rule-ipyx42", + "Description": "This control checks whether Elasticsearch domains are configured to send error logs to CloudWatch Logs.", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "ELASTICSEARCH_LOGS_TO_CLOUDWATCH" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-elasticsearch-node-to-node-encryption-check-665e847e", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-89kmnf", + "ConfigRuleId": "config-rule-89kmnf", + "Description": "Check that Elasticsearch nodes are encrypted end to end. The rule is NON_COMPLIANT if the node-to-node encryption is disabled on the domain.", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-elb-connection-draining-enabled-618a1d66", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-93u5x1", + "ConfigRuleId": "config-rule-93u5x1", + "Description": "This control checks whether AWS Classic Load Balancers have connection draining enabled.", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::ElasticLoadBalancing::LoadBalancer" + ] + }, + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:SecurityHubConfigRule", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ConfigurationItemChangeNotification" + } + ] + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-elb-deletion-protection-enabled-a0f861fa", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-h5x0n8", + "ConfigRuleId": "config-rule-h5x0n8", + "Description": "Checks whether Elastic Load Balancing has deletion protection enabled. The rule is NON_COMPLIANT if deletion_protection.enabled is false.", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "ELB_DELETION_PROTECTION_ENABLED" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-elb-predefined-security-policy-ssl-check-d6a735b0", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-slumeu", + "ConfigRuleId": "config-rule-slumeu", + "Description": "This control checks whether your Classic Load Balancer SSL listeners use the predefined policy ELBSecurityPolicy-TLS-1-2-2017-01.", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "ELB_PREDEFINED_SECURITY_POLICY_SSL_CHECK" + }, + "InputParameters": "{\"predefinedPolicyName\":\"ELBSecurityPolicy-TLS-1-2-2017-01\"}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-emr-master-no-public-ip-4703b209", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-bkkanv", + "ConfigRuleId": "config-rule-bkkanv", + "Description": "Checks whether Amazon Elastic MapReduce (EMR) clusters' master nodes have public IPs. The rule is NON_COMPLIANT if the master node has a public IP.", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "EMR_MASTER_NO_PUBLIC_IP" + }, + "InputParameters": "{}", + "MaximumExecutionFrequency": "Twelve_Hours", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-encrypted-volumes-1f0a0d67", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-b61ngw", + "ConfigRuleId": "config-rule-b61ngw", + "Description": "Checks whether the EBS volumes that are in an attached state are encrypted. If you specify the ID of a KMS key for encryption using the kmsId parameter, the rule checks if the EBS volumes in an attached state are encrypted with that KMS key.", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::EC2::Volume" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "ENCRYPTED_VOLUMES" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-guardduty-enabled-centralized-434c7935", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-vmhn7k", + "ConfigRuleId": "config-rule-vmhn7k", + "Description": "This AWS control checks whether Amazon GuardDuty is enabled in your AWS account and region.", + "Scope": { + "ComplianceResourceTypes": [] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "GUARDDUTY_ENABLED_CENTRALIZED" + }, + "InputParameters": "{}", + "MaximumExecutionFrequency": "Twelve_Hours", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-iam-customer-policy-blocked-kms-actions-635b4241", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-kcwwsf", + "ConfigRuleId": "config-rule-kcwwsf", + "Description": "Checks that the managed AWS Identity and Access Management (IAM) policies that you create do not allow blocked actions on all AWS KMS keys. The rule is NON_COMPLIANT if any blocked action is allowed on all AWS KMS keys by the managed IAM policy.", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "IAM_CUSTOMER_POLICY_BLOCKED_KMS_ACTIONS" + }, + "InputParameters": "{\"blockedActionsPatterns\":\"kms:Decrypt,kms:ReEncryptFrom\"}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-iam-password-policy-ensure-expires-533a56f7", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-bhgpjw", + "ConfigRuleId": "config-rule-bhgpjw", + "Description": "Checks whether the account password policy for IAM users expires passwords within certain days", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::IAM::User" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "IAM_PASSWORD_POLICY" + }, + "InputParameters": "{\"MaxPasswordAge\":\"90\"}", + "MaximumExecutionFrequency": "Twelve_Hours", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-iam-password-policy-lowercase-letter-check-0dc3e146", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-xqulwt", + "ConfigRuleId": "config-rule-xqulwt", + "Description": "Checks whether the account password policy for IAM users requires at least one lowercase character in password.", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::IAM::User" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "IAM_PASSWORD_POLICY" + }, + "InputParameters": "{\"RequireLowercaseCharacters\":\"true\"}", + "MaximumExecutionFrequency": "Twelve_Hours", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-iam-password-policy-minimum-length-check-1d8aea2d", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-6mgr5p", + "ConfigRuleId": "config-rule-6mgr5p", + "Description": "Checks whether the account password policy for IAM users requires minimum password length.", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::IAM::User" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "IAM_PASSWORD_POLICY" + }, + "InputParameters": "{\"MinimumPasswordLength\":\"14\"}", + "MaximumExecutionFrequency": "Twelve_Hours", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-iam-password-policy-number-check-1293d8f6", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-z9hmwf", + "ConfigRuleId": "config-rule-z9hmwf", + "Description": "Checks whether the account password policy for IAM users requires at least one number in password.", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::IAM::User" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "IAM_PASSWORD_POLICY" + }, + "InputParameters": "{\"RequireNumbers\":\"true\"}", + "MaximumExecutionFrequency": "Twelve_Hours", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-iam-password-policy-prevent-reuse-check-50aaf164", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-zuwoxq", + "ConfigRuleId": "config-rule-zuwoxq", + "Description": "Checks whether the account password policy for IAM users prevents password reuse.", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::IAM::User" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "IAM_PASSWORD_POLICY" + }, + "InputParameters": "{\"PasswordReusePrevention\":\"24\"}", + "MaximumExecutionFrequency": "Twelve_Hours", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-iam-password-policy-recommended-defaults-no-symbols-required-46b9b4e2", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-y0kflg", + "ConfigRuleId": "config-rule-y0kflg", + "Description": "Checks whether the account password policy for IAM users meets the specified requirements.", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "IAM_PASSWORD_POLICY" + }, + "InputParameters": "{\"RequireUppercaseCharacters\":\"true\",\"RequireLowercaseCharacters\":\"true\",\"RequireNumbers\":\"true\",\"MinimumPasswordLength\":\"7\",\"PasswordReusePrevention\":\"4\",\"MaxPasswordAge\":\"90\"}", + "MaximumExecutionFrequency": "Twelve_Hours", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-iam-password-policy-symbol-check-23ac4c71", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-heijyz", + "ConfigRuleId": "config-rule-heijyz", + "Description": "Checks whether the account password policy for IAM users requires at least one symbol in password.", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::IAM::User" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "IAM_PASSWORD_POLICY" + }, + "InputParameters": "{\"RequireSymbols\":\"true\"}", + "MaximumExecutionFrequency": "Twelve_Hours", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-iam-password-policy-uppercase-letter-check-09f5ab22", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-rjxxlw", + "ConfigRuleId": "config-rule-rjxxlw", + "Description": "Checks whether the account password policy for IAM users requires at least one uppercase character in password.", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::IAM::User" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "IAM_PASSWORD_POLICY" + }, + "InputParameters": "{\"RequireUppercaseCharacters\":\"true\"}", + "MaximumExecutionFrequency": "Twelve_Hours", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-iam-policy-no-statements-with-admin-access-86c8e938", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-gzrrb2", + "ConfigRuleId": "config-rule-gzrrb2", + "Description": "Checks whether the default version of IAM policies have administrator access", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::IAM::Policy" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-iam-policy-no-statements-with-full-access-9886e089", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-dajrpx", + "ConfigRuleId": "config-rule-dajrpx", + "Description": "This control checks whether the IAM identity-based custom policies have Allow statements that grant permissions for all actions on a service. The control fails if any policy statement includes \"Effect\": \"Allow\" with \"Action\": \"Service:*\".", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "IAM_POLICY_NO_STATEMENTS_WITH_FULL_ACCESS" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-iam-root-access-key-check-e6dacbee", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-nwpde5", + "ConfigRuleId": "config-rule-nwpde5", + "Description": "Checks whether the root user access key is available.", + "Scope": { + "ComplianceResourceTypes": [] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "IAM_ROOT_ACCESS_KEY_CHECK" + }, + "InputParameters": "{}", + "MaximumExecutionFrequency": "Twelve_Hours", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-iam-user-no-policies-check-8f7ee586", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-lih1iz", + "ConfigRuleId": "config-rule-lih1iz", + "Description": "Checks that none of your IAM users have policies attached. IAM users must inherit permissions from IAM groups or roles.", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::IAM::User" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "IAM_USER_NO_POLICIES_CHECK" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-iam-user-unused-credentials-check-176aeba6", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-emv5gw", + "ConfigRuleId": "config-rule-emv5gw", + "Description": "This control checks whether your IAM users have passwords or active access keys that were not used within the previous 90 days.", + "Scope": { + "ComplianceResourceTypes": [] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "IAM_USER_UNUSED_CREDENTIALS_CHECK" + }, + "InputParameters": "{\"maxCredentialUsageAge\":\"90\"}", + "MaximumExecutionFrequency": "Twelve_Hours", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-kms-cmk-not-scheduled-for-deletion-2-3cabadd0", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-c65w1l", + "ConfigRuleId": "config-rule-c65w1l", + "Description": "This control checks whether AWS Key Management Service (KMS) customer managed keys (CMK) are scheduled for deletion. The control fails if a KMS CMK is scheduled for deletion.", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::KMS::Key" + ] + }, + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:SecurityHubConfigRule", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ConfigurationItemChangeNotification" + } + ] + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-lambda-function-public-access-prohibited-7abe7b23", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-bnoabf", + "ConfigRuleId": "config-rule-bnoabf", + "Description": "Checks whether the AWS Lambda function policy attached to the Lambda resource prohibits public access.", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::Lambda::Function" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + } + ], + "NextToken": "eyJlbmNyeXB0ZWREYXRhIjpbNzMsMjEsNjYsNjcsNzUsLTEwLC02MCw0NSw4NiwtMTQsLTE4LC00NCwtMTI2LDU3LC0xMTEsLTk2LC03Miw0LC01OCwxMjQsODksLTI5LDExLDIyLC01NCw1MiwxMTUsLTM3LDM4LDY1LDUwLDEwMSwtODEsNjAsLTM4LC05Miw3OSwtOTcsLTEyNywtNDksLTEwMSwtNzUsLTQyLDUyLC0zMiw4MiwxMjMsODAsLTk4LC0xLC02LDExMywtNjMsLTQxLDExNSwxOSwxMDMsLTEwOCw2LDgzLDExLC04OCwtMTEwLDQyLDU1LC0zLC03OSwtOCwyOSw2MywtODMsMTIyLC02MiwtMzAsMTA0LDEyMSwtNDUsMTcsOTUsNzksMTIyLC0yNywtNDAsMTMsLTU1LC0xMjMsMTEzLC05OSw4OCwtMTEzLDYsLTEwNCwtNDUsLTg3LC04MSwxMjEsMTE1LC0xMjcsOTcsLTEyNSw0MywtODAsMzIsLTE2LC04OSwtMTIsLTE1LC0xOCw3MSwzMiw5MSwtMiwtMTE2LC05MCwtMzksLTc1LC01NCwtNTEsNzcsODEsMTgsLTkxLC0yOSw5OSw5OSwxNCwzMywtNzcsLTkzLC0xNCwtNDYsNTQsLTk1LC0xMDUsLTM2LC0xMDksLTM0LC0yLDc5LC0xMSwtMTE0LC02OSwtNjAsMTE3LC0xMDUsNjQsLTgsMTE1LDYzLC01MywtMzgsNzEsNjIsLTMzLDk4LDg4LC04MCwtMTA2LDM0LC05MSwtMjUsLTM5LDEsLTE4LC0xMTMsLTc4LDEwNCwtNSw1MSwtMzYsLTExMiwtMTAxLC05MCw0LDM4LDkzLDExLC04LDM0LDIsMCw4LDM1LC03Nyw5NCwtMTIwLC0xMTAsLTUxLC00OCw4Niw1MCwzLC0yNywtMjEsLTYwLDE2LDEwNywtMTE3LC0xMDYsLTIwLC0xMjEsMTksLTEwNyw3LC02MSwtOTYsOTksLTkxLC05MSwyLDQ2LC05NCwyMiw2MCwtNDAsLTY3LC04NCwtODMsLTI5LDEwMywyMCwtMTEyLC02NywzMywtMTIwLDYzLC0xMTQsODUsLTIzLC0xMDYsNTcsMzIsLTIyLDc3LC0xMTEsNTksMTUsLTUwLDEwNSw4Niw5NCwtODYsNjQsMjcsLTcsLTczLC03MSw5LDQ5LDE4LC0xMiwyMiwyNSwyMCwtNzUsNzUsMTA3LC0xMTBdLCJtYXRlcmlhbFNldFNlcmlhbE51bWJlciI6MSwiaXZQYXJhbWV0ZXJTcGVjIjp7Iml2IjpbLTQyLDksLTQ2LDIxLC0xMjUsLTEwNSwtMTA3LDEyNCwzNCwtNzEsLTEsLTEzLC0xMiwtNDcsLTIzLDQ0XX19", + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/data/placebo/test_config_rule_remediation/config.DescribeConfigRules_7.json b/tests/data/placebo/test_config_rule_remediation/config.DescribeConfigRules_7.json new file mode 100644 index 00000000000..60ef30d75f9 --- /dev/null +++ b/tests/data/placebo/test_config_rule_remediation/config.DescribeConfigRules_7.json @@ -0,0 +1,431 @@ +{ + "status_code": 200, + "data": { + "ConfigRules": [ + { + "ConfigRuleName": "securityhub-lambda-function-settings-check-ff7b6963", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-3jq13q", + "ConfigRuleId": "config-rule-3jq13q", + "Description": "Checks that the AWS Lambda function settings for runtime, role, timeout, and memory size match the expected values.", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::Lambda::Function" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "LAMBDA_FUNCTION_SETTINGS_CHECK" + }, + "InputParameters": "{\"runtime\":\"nodejs14.x,nodejs12.x,python3.9,python3.8,python3.7,python3.6,java11,java8,java8.al2,go1.x,dotnetcore3.1,ruby2.7\"}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-mfa-enabled-for-iam-console-access-77c4d110", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-7qk8mm", + "ConfigRuleId": "config-rule-7qk8mm", + "Description": "Checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password.", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::IAM::User" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS" + }, + "InputParameters": "{}", + "MaximumExecutionFrequency": "Twelve_Hours", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-rds-automatic-minor-version-upgrade-enabled-b07994d3", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-ddeqhn", + "ConfigRuleId": "config-rule-ddeqhn", + "Description": "This control checks if automatic minor version upgrades are enabled for the Amazon RDS database instance.", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "RDS_AUTOMATIC_MINOR_VERSION_UPGRADE_ENABLED" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-rds-cluster-deletion-protection-enabled-ce021933", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-hafaoe", + "ConfigRuleId": "config-rule-hafaoe", + "Description": "Checks if an Amazon Relational Database Service (Amazon RDS) cluster has deletion protection enabled. This rule is NON_COMPLIANT if an RDS cluster does not have deletion protection enabled.", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "RDS_CLUSTER_DELETION_PROTECTION_ENABLED" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-rds-cluster-multi-az-enabled-6d02703d", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-zfipds", + "ConfigRuleId": "config-rule-zfipds", + "Description": "This control checks if RDS DB clusters are configured with multi-az.", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "RDS_CLUSTER_MULTI_AZ_ENABLED" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-rds-deployed-in-vpc-c66ad3aa", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-jxd9w4", + "ConfigRuleId": "config-rule-jxd9w4", + "Description": "This control checks if an RDS instance is deployed in a VPC (EC2-VPC).", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::RDS::DBInstance" + ] + }, + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:SecurityHubConfigRule", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ConfigurationItemChangeNotification" + } + ] + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-rds-enhanced-monitoring-enabled-10256ac2", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-w1kdtq", + "ConfigRuleId": "config-rule-w1kdtq", + "Description": "Checks whether enhanced monitoring is enabled for Amazon Relational Database Service (Amazon RDS) instances.", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "RDS_ENHANCED_MONITORING_ENABLED" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-rds-instance-deletion-protection-enabled-0424bd91", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-kcq2cn", + "ConfigRuleId": "config-rule-kcq2cn", + "Description": "Checks if an Amazon Relational Database Service (Amazon RDS) instance has deletion protection enabled.", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "RDS_INSTANCE_DELETION_PROTECTION_ENABLED" + }, + "InputParameters": "{\"databaseEngines\":\"mariadb,mysql,oracle-ee,oracle-se2,oracle-se1,oracle-se,postgres,sqlserver-ee,sqlserver-se,sqlserver-ex,sqlserver-web\"}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-rds-instance-public-access-check-33b05d85", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-178tfr", + "ConfigRuleId": "config-rule-178tfr", + "Description": "Check whether the Amazon Relational Database Service instances are not publicly accessible.", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::RDS::DBInstance" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "RDS_INSTANCE_PUBLIC_ACCESS_CHECK" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-rds-multi-az-support-61b58491", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-kwl7fc", + "ConfigRuleId": "config-rule-kwl7fc", + "Description": "Checks whether high availability is enabled for your RDS DB instances.", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "RDS_MULTI_AZ_SUPPORT" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-rds-snapshot-encrypted-8860b277", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-uxd0so", + "ConfigRuleId": "config-rule-uxd0so", + "Description": "Checks whether Amazon Relational Database Service (Amazon RDS) DB snapshots are encrypted. The rule is NON_COMPLIANT, if Amazon RDS DB snapshots are not encrypted.", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "RDS_SNAPSHOT_ENCRYPTED" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-rds-snapshots-public-prohibited-d04147c6", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-qlbisg", + "ConfigRuleId": "config-rule-qlbisg", + "Description": "Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public.", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::RDS::DBSnapshot", + "AWS::RDS::DBClusterSnapshot" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "RDS_SNAPSHOTS_PUBLIC_PROHIBITED" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-rds-storage-encrypted-7da07a05", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-rphw3l", + "ConfigRuleId": "config-rule-rphw3l", + "Description": "Checks whether storage encryption is enabled for your RDS DB instances.", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::RDS::DBInstance" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "RDS_STORAGE_ENCRYPTED" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-redshift-cluster-audit-logging-enabled-fca833b7", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-hwcklg", + "ConfigRuleId": "config-rule-hwcklg", + "Description": "This control checks whether the Amazon Redshift cluster has audit logging enabled.", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::Redshift::Cluster" + ] + }, + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:SecurityHubConfigRule", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ConfigurationItemChangeNotification" + } + ] + }, + "InputParameters": "{\"loggingEnabled\":\"true\"}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-redshift-cluster-public-access-check-dbba313f", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-mxmtno", + "ConfigRuleId": "config-rule-mxmtno", + "Description": "Checks whether Amazon Redshift clusters are not publicly accessible.", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::Redshift::Cluster" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-redshift-enhanced-vpc-routing-enabled-28c8a4a7", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-qyov3f", + "ConfigRuleId": "config-rule-qyov3f", + "Description": "This control checks whether a Redshift cluster has EnhancedVpcRouting enabled.", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "REDSHIFT_ENHANCED_VPC_ROUTING_ENABLED" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-redshift-require-tls-ssl-e9a92823", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-83po5g", + "ConfigRuleId": "config-rule-83po5g", + "Description": "Checks whether Amazon Redshift clusters require TLS/SSL encryption to connect to SQL clients. The rule is NON_COMPLIANT if any Amazon Redshift cluster has parameter require_SSL not set to true.", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "REDSHIFT_REQUIRE_TLS_SSL" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-restricted-rdp-1a79a5c5", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-86sgyh", + "ConfigRuleId": "config-rule-86sgyh", + "Description": "Checks whether the incoming RDP traffic is Allowed from 0.0.0.0/0. This rule is compliant when incoming RDP traffic is restricted.", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::EC2::SecurityGroup" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "RESTRICTED_INCOMING_TRAFFIC" + }, + "InputParameters": "{\"blockedPort1\":\"3389\"}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-restricted-ssh-aee651a6", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-wug62r", + "ConfigRuleId": "config-rule-wug62r", + "Description": "Checks whether the incoming SSH traffic for the security groups is accessible. The rule is compliant when the IP addresses of the incoming SSH traffic in the security groups are restricted. This rule applies only to IPv4.", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::EC2::SecurityGroup" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "INCOMING_SSH_DISABLED" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-root-account-mfa-enabled-a6035638", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-xkrqui", + "ConfigRuleId": "config-rule-xkrqui", + "Description": "Checks whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root credentials.", + "Scope": { + "ComplianceResourceTypes": [] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "ROOT_ACCOUNT_MFA_ENABLED" + }, + "InputParameters": "{}", + "MaximumExecutionFrequency": "Twelve_Hours", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-s3-account-level-public-access-blocks-periodic-be7f9a10", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-trnlnc", + "ConfigRuleId": "config-rule-trnlnc", + "Description": "Checks if the required public access block settings are configured from account level.", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS_PERIODIC" + }, + "InputParameters": "{\"RestrictPublicBuckets\":\"True\",\"BlockPublicPolicy\":\"True\",\"BlockPublicAcls\":\"True\",\"IgnorePublicAcls\":\"True\"}", + "MaximumExecutionFrequency": "Twelve_Hours", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-s3-bucket-blacklisted-actions-prohibited-877f0709", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-zxpcjr", + "ConfigRuleId": "config-rule-zxpcjr", + "Description": "Checks that the Amazon Simple Storage Service bucket policy does not allow blacklisted bucket-level and object-level actions on resources in the bucket for principals from other AWS accounts.", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "S3_BUCKET_BLACKLISTED_ACTIONS_PROHIBITED" + }, + "InputParameters": "{\"blacklistedActionPattern\":\"s3:DeleteBucketPolicy,s3:PutBucketAcl,s3:PutBucketPolicy,s3:PutObjectAcl,s3:PutEncryptionConfiguration\"}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-s3-bucket-public-read-prohibited-2048f14d", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-61s7gq", + "ConfigRuleId": "config-rule-61s7gq", + "Description": "Checks to see if S3 buckets are publicly readable.", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::S3::Bucket" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "S3_BUCKET_PUBLIC_READ_PROHIBITED" + }, + "InputParameters": "{}", + "MaximumExecutionFrequency": "Twelve_Hours", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-s3-bucket-public-write-prohibited-a4282c5b", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-04ncrh", + "ConfigRuleId": "config-rule-04ncrh", + "Description": "Checks to see if S3 buckets allow public write.", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::S3::Bucket" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "S3_BUCKET_PUBLIC_WRITE_PROHIBITED" + }, + "InputParameters": "{}", + "MaximumExecutionFrequency": "Twelve_Hours", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-s3-bucket-server-side-encryption-enabled-f6b70d99", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-segclk", + "ConfigRuleId": "config-rule-segclk", + "Description": "Checks that your Amazon S3 bucket either has Amazon S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server side encryption.", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::S3::Bucket" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + } + ], + "NextToken": "eyJlbmNyeXB0ZWREYXRhIjpbMzcsMTMsLTUzLDIxLDgzLC0xNiw2OSwxMTQsNzcsMTMsMTI1LDQ1LDExNCw3OCwxMTAsNzAsNjYsNTgsOTYsLTkxLC0yMiw5MiwxMDQsLTY4LC04MSw0OSwtMTUsMjMsMTA2LC03LC05NiwtNTUsMjAsLTg4LC0xMDYsLTg4LDkyLDQsOCwxMDUsMTA0LDEwOSwtMjcsOTEsLTU5LC03NCwtNzQsMzgsMTE2LDEyNSw5NCwtNzAsNDYsLTc0LC0xNSwtOTUsLTUwLDU2LDExOCwtMTAyLDcxLC00Niw4OSw4MSwtMjMsNzYsLTEwNiw3LDM0LDcxLC0yNywyMSwxMTQsLTEyMSw0MCwxLDM1LC05NSwtODAsLTU5LDUxLDE1LDM0LDEwNCwtNTUsMTgsMzQsMzYsLTczLC0yMywtOTAsNDMsMjksMjksLTEyMSwyMywtNzgsLTIsNTksNjksLTQ1LC00OCwxMDIsNzMsLTE3LC00NiwtMzIsLTU2LC02MSwtNjcsNTUsLTg3LC0yLDc2LC0yNyw3NywtOTcsODgsLTkzLDQ1LC05Niw2MSwzMSwtNzcsMzQsLTEyNiwxMTUsMTI1LDk5LDEyNywxOSw5OSw1MywyNCwtODYsNjgsNDMsMjAsLTU1LDExMSw2OSwtNywtOTcsLTEyMyw1MywtNTgsLTExMSwxMjIsMTE1LC0xLC0xLC01MSwxMSwzMywtMTAwLC05NCwtNzEsLTExNCw1MywtODAsLTUzLDExNCwtNSwtODgsMjIsNDQsLTEwOSwtNzUsMTI3LDEyMSwtMTI1LC05OSwtMTcsNjAsLTYzLC02NiwtNzMsLTEyMSwxMjAsLTExNCwxMTMsLTQwLDEyMiwxMTYsLTI2LDExNyw2Miw3NSwtNTIsLTcxLC0xMTcsODYsMTA4LDEyMiwxMiw0MCwtODUsLTU1LC03MywtODUsOTksNjYsLTMsLTg5LC0xNywtMTAxLDExOSwyNSw3NywtMTA1LC01OSwtMTA1LDgsLTUxLDYsLTEwOCwtODYsMjIsLTMyLC05LDgwLC04OCw4Nyw2MywtMiwtMTAyLDYxLDEwLC05NCwtOTEsMjMsMTIwLC00MCw4OSwtODYsLTcsLTYyLC03Myw3OSwtNDYsLTEwOCwzMSw0Nyw0OCwtNzcsLTgsNzUsNDIsNzUsMTAzLC0xMTEsODEsLTk4LC00OCwtNzcsLTQyLDY3LDRdLCJtYXRlcmlhbFNldFNlcmlhbE51bWJlciI6MSwiaXZQYXJhbWV0ZXJTcGVjIjp7Iml2IjpbMiwxMDAsLTI2LDExMSwtNjEsODAsLTExNCwtMTcsLTQ5LDgyLDc5LC02MCw0LDYyLC0xMjAsNDhdfX0=", + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/data/placebo/test_config_rule_remediation/config.DescribeConfigRules_8.json b/tests/data/placebo/test_config_rule_remediation/config.DescribeConfigRules_8.json new file mode 100644 index 00000000000..41d13cd39ba --- /dev/null +++ b/tests/data/placebo/test_config_rule_remediation/config.DescribeConfigRules_8.json @@ -0,0 +1,252 @@ +{ + "status_code": 200, + "data": { + "ConfigRules": [ + { + "ConfigRuleName": "securityhub-s3-bucket-ssl-requests-only-5f634150", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-dtnyre", + "ConfigRuleId": "config-rule-dtnyre", + "Description": "Checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL).", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::S3::Bucket" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "S3_BUCKET_SSL_REQUESTS_ONLY" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-sagemaker-notebook-no-direct-internet-access-7c462347", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-9r4usn", + "ConfigRuleId": "config-rule-9r4usn", + "Description": "Checks whether direct internet access is disabled for an Amazon SageMaker notebook instance. The rule is NON_COMPLIANT if Amazon SageMaker notebook instances are internet-enabled.", + "Scope": { + "ComplianceResourceTypes": [] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS" + }, + "InputParameters": "{}", + "MaximumExecutionFrequency": "Twelve_Hours", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-secretsmanager-rotation-enabled-check-3bc21937", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-ma7gvg", + "ConfigRuleId": "config-rule-ma7gvg", + "Description": "Checks whether AWS Secrets Manager secret has rotation enabled.", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "SECRETSMANAGER_ROTATION_ENABLED_CHECK" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-secretsmanager-scheduled-rotation-success-check-aec55511", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-etnvto", + "ConfigRuleId": "config-rule-etnvto", + "Description": "Checks and verifies whether AWS Secrets Manager secret rotation has rotated successfully as per the rotation schedule. The rule is NON_COMPLIANT if RotationOccurringAsScheduled is false.", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "SECRETSMANAGER_SCHEDULED_ROTATION_SUCCESS_CHECK" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-secretsmanager-secret-periodic-rotation-9bdb5765", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-rtrbnc", + "ConfigRuleId": "config-rule-rtrbnc", + "Description": "This control checks if your secrets have rotated at least once within 90 days. ", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "SECRETSMANAGER_SECRET_PERIODIC_ROTATION" + }, + "InputParameters": "{}", + "MaximumExecutionFrequency": "Twelve_Hours", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-secretsmanager-secret-unused-49deb12a", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-8s4uc8", + "ConfigRuleId": "config-rule-8s4uc8", + "Description": "This control checks whether your secrets have been accessed within a specified number of days. The default value is 90 days. Secrets that have not been accessed even once within the number days you define, fail this check.", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "SECRETSMANAGER_SECRET_UNUSED" + }, + "InputParameters": "{}", + "MaximumExecutionFrequency": "Twelve_Hours", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-service-vpc-endpoint-enabled-bc5ce862", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-xpmxgj", + "ConfigRuleId": "config-rule-xpmxgj", + "Description": "Checks whether Service Endpoint for the service provided in rule parameter is created for each Amazon VPC. The rule returns NON_COMPLIANT if an Amazon VPC doesn't have a VPC endpoint created for the service.", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "SERVICE_VPC_ENDPOINT_ENABLED" + }, + "InputParameters": "{\"serviceName\":\"ec2\"}", + "MaximumExecutionFrequency": "Twelve_Hours", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-sns-encrypted-kms-b61211a8", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-5tiku3", + "ConfigRuleId": "config-rule-5tiku3", + "Description": "Checks whether Amazon SNS topic is encrypted with AWS Key Management Service (AWS KMS). The rule is NON_COMPLIANT if the Amazon SNS topic is not encrypted with AWS KMS.", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "SNS_ENCRYPTED_KMS" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-sqs-queue-encrypted-40c64a85", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-ngaq1t", + "ConfigRuleId": "config-rule-ngaq1t", + "Description": "This control checks whether Amazon SQS queues are encrypted at rest.", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::SQS::Queue" + ] + }, + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:SecurityHubConfigRule", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ConfigurationItemChangeNotification" + } + ] + }, + "InputParameters": "{\"version\":\"1.1\"}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-ssm-document-not-public-8a29b3bc", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-lrurxf", + "ConfigRuleId": "config-rule-lrurxf", + "Description": "This control checks whether AWS Systems Manager documents that the account owns are public. This control fails if SSM documents that have \"Self\" as the owner are public.", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "SSM_DOCUMENT_NOT_PUBLIC" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-subnet-auto-assign-public-ip-disabled-baf86933", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-oosmjz", + "ConfigRuleId": "config-rule-oosmjz", + "Description": "Checks if Amazon Virtual Private Cloud (Amazon VPC) subnets are assigned a public IP address. This rule is NON_COMPLIANT if Amazon VPC has subnets that are assigned a public IP address.", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "SUBNET_AUTO_ASSIGN_PUBLIC_IP_DISABLED" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-vpc-default-security-group-closed-3c5cc727", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-qd71i2", + "ConfigRuleId": "config-rule-qd71i2", + "Description": "Checks whether the default security group for VPC is closed.", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::EC2::SecurityGroup" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "VPC_DEFAULT_SECURITY_GROUP_CLOSED" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-vpc-network-acl-unused-check-a666f9a0", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-inqiv6", + "ConfigRuleId": "config-rule-inqiv6", + "Description": "Checks if there are unused Network Access Control Lists (NACLs). The rule is NON_COMPLIANT if an NACL is not associated with a subnet.", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "VPC_NETWORK_ACL_UNUSED_CHECK" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-vpc-sg-open-only-to-authorized-ports-c0907342", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-c1wxqp", + "ConfigRuleId": "config-rule-c1wxqp", + "Description": "This control checks whether the security groups allow unrestricted incoming traffic. The control fails if ports allow unrestricted traffic on ports other than 80 and 443, which are default values for parameter authorizedTcpPorts.", + "Scope": {}, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS" + }, + "InputParameters": "{\"authorizedTcpPorts\":\"80,443\"}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + }, + { + "ConfigRuleName": "securityhub-vpc-sg-restricted-common-ports-2aa66b72", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-xilkxe", + "ConfigRuleId": "config-rule-xilkxe", + "Description": "This control checks whether unrestricted incoming traffic for the security groups is accessible to the specified ports that have the highest risk.", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::EC2::SecurityGroup" + ] + }, + "Source": { + "Owner": "CUSTOM_LAMBDA", + "SourceIdentifier": "arn:aws:lambda:us-east-1:644160558196:function:SecurityHubConfigRule", + "SourceDetails": [ + { + "EventSource": "aws.config", + "MessageType": "ConfigurationItemChangeNotification" + } + ] + }, + "InputParameters": "{\"version\":\"1.1\"}", + "ConfigRuleState": "ACTIVE", + "CreatedBy": "securityhub.amazonaws.com" + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/data/placebo/test_config_rule_remediation/config.DescribeRemediationConfigurations_1.json b/tests/data/placebo/test_config_rule_remediation/config.DescribeRemediationConfigurations_1.json new file mode 100644 index 00000000000..e468a765064 --- /dev/null +++ b/tests/data/placebo/test_config_rule_remediation/config.DescribeRemediationConfigurations_1.json @@ -0,0 +1,31 @@ +{ + "status_code": 200, + "data": { + "RemediationConfigurations": [ + { + "ConfigRuleName": "custodian-config-managed-s3-bucket-public-write-remediate-event", + "TargetType": "SSM_DOCUMENT", + "TargetId": "AWS-DisableS3BucketPublicReadWrite", + "Parameters": { + "AutomationAssumeRole": { + "StaticValue": { + "Values": [ + "arn:aws:iam::644160558196:role/myrole" + ] + } + }, + "S3BucketName": { + "ResourceValue": { + "Value": "RESOURCE_ID" + } + } + }, + "Automatic": true, + "MaximumAutomaticAttempts": 5, + "RetryAttemptSeconds": 211, + "Arn": "arn:aws:config:us-east-1:644160558196:remediation-configuration/custodian-config-managed-s3-bucket-public-write-remediate-event/cadfb035-9d35-44c6-973c-091740093a59" + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/data/placebo/test_config_rule_remediation/tagging.GetResources_1.json b/tests/data/placebo/test_config_rule_remediation/tagging.GetResources_1.json new file mode 100644 index 00000000000..24967b6c4b2 --- /dev/null +++ b/tests/data/placebo/test_config_rule_remediation/tagging.GetResources_1.json @@ -0,0 +1 @@ +{"status_code": 200, "data": {"PaginationToken": "", "ResourceTagMappingList": []}} diff --git a/tests/data/placebo/test_toggle_config_managed_rule/config.DeleteConfigRule_1.json b/tests/data/placebo/test_toggle_config_managed_rule/config.DeleteConfigRule_1.json new file mode 100644 index 00000000000..5b2170a073c --- /dev/null +++ b/tests/data/placebo/test_toggle_config_managed_rule/config.DeleteConfigRule_1.json @@ -0,0 +1,6 @@ +{ + "status_code": 200, + "data": { + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/data/placebo/test_toggle_config_managed_rule/config.DeleteRemediationConfiguration_1.json b/tests/data/placebo/test_toggle_config_managed_rule/config.DeleteRemediationConfiguration_1.json new file mode 100644 index 00000000000..5b2170a073c --- /dev/null +++ b/tests/data/placebo/test_toggle_config_managed_rule/config.DeleteRemediationConfiguration_1.json @@ -0,0 +1,6 @@ +{ + "status_code": 200, + "data": { + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/data/placebo/test_toggle_config_managed_rule/config.DescribeConfigRules_1.json b/tests/data/placebo/test_toggle_config_managed_rule/config.DescribeConfigRules_1.json new file mode 100644 index 00000000000..904f08d5660 --- /dev/null +++ b/tests/data/placebo/test_toggle_config_managed_rule/config.DescribeConfigRules_1.json @@ -0,0 +1,30 @@ +{ + "status_code": 200, + "data": { + "ConfigRules": [ + { + "ConfigRuleName": "test-enable-config-managed-rule", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-xtqwge", + "ConfigRuleId": "config-rule-xtqwge", + "Description": "cloud-custodian AWS Config Managed Rule policy", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::S3::Bucket" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "S3_BUCKET_PUBLIC_WRITE_PROHIBITED" + }, + "InputParameters": "{}", + "ConfigRuleState": "ACTIVE", + "EvaluationModes": [ + { + "Mode": "DETECTIVE" + } + ] + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/data/placebo/test_toggle_config_managed_rule/config.DescribeConfigRules_2.json b/tests/data/placebo/test_toggle_config_managed_rule/config.DescribeConfigRules_2.json new file mode 100644 index 00000000000..4586980453b --- /dev/null +++ b/tests/data/placebo/test_toggle_config_managed_rule/config.DescribeConfigRules_2.json @@ -0,0 +1,30 @@ +{ + "status_code": 200, + "data": { + "ConfigRules": [ + { + "ConfigRuleName": "test-enable-config-managed-rule", + "ConfigRuleArn": "arn:aws:config:us-east-1:644160558196:config-rule/config-rule-xtqwge", + "ConfigRuleId": "config-rule-xtqwge", + "Description": "cloud-custodian AWS Config Managed Rule policy", + "Scope": { + "ComplianceResourceTypes": [ + "AWS::S3::Bucket" + ] + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "S3_BUCKET_PUBLIC_WRITE_PROHIBITED" + }, + "InputParameters": "{}", + "ConfigRuleState": "DELETING", + "EvaluationModes": [ + { + "Mode": "DETECTIVE" + } + ] + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/data/placebo/test_toggle_config_managed_rule/config.DescribeRemediationConfigurations_1.json b/tests/data/placebo/test_toggle_config_managed_rule/config.DescribeRemediationConfigurations_1.json new file mode 100644 index 00000000000..24a8fcbcacc --- /dev/null +++ b/tests/data/placebo/test_toggle_config_managed_rule/config.DescribeRemediationConfigurations_1.json @@ -0,0 +1,31 @@ +{ + "status_code": 200, + "data": { + "RemediationConfigurations": [ + { + "ConfigRuleName": "test-enable-config-managed-rule", + "TargetType": "SSM_DOCUMENT", + "TargetId": "AWS-DisableS3BucketPublicReadWrite", + "Parameters": { + "AutomationAssumeRole": { + "StaticValue": { + "Values": [ + "arn:aws:iam::644160558196:role/myrole" + ] + } + }, + "S3BucketName": { + "ResourceValue": { + "Value": "RESOURCE_ID" + } + } + }, + "Automatic": true, + "MaximumAutomaticAttempts": 5, + "RetryAttemptSeconds": 211, + "Arn": "arn:aws:config:us-east-1:644160558196:remediation-configuration/test-enable-config-managed-rule/f5e5f48d-45e5-4e1b-bf6e-9af5d222ad38" + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/data/placebo/test_toggle_config_managed_rule/config.PutConfigRule_1.json b/tests/data/placebo/test_toggle_config_managed_rule/config.PutConfigRule_1.json new file mode 100644 index 00000000000..5b2170a073c --- /dev/null +++ b/tests/data/placebo/test_toggle_config_managed_rule/config.PutConfigRule_1.json @@ -0,0 +1,6 @@ +{ + "status_code": 200, + "data": { + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/data/placebo/test_toggle_config_managed_rule/config.PutRemediationConfigurations_1.json b/tests/data/placebo/test_toggle_config_managed_rule/config.PutRemediationConfigurations_1.json new file mode 100644 index 00000000000..71e1deca5b9 --- /dev/null +++ b/tests/data/placebo/test_toggle_config_managed_rule/config.PutRemediationConfigurations_1.json @@ -0,0 +1,7 @@ +{ + "status_code": 200, + "data": { + "FailedBatches": [], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/data/placebo/test_toggle_config_managed_rule/iam.ListAccountAliases_1.json b/tests/data/placebo/test_toggle_config_managed_rule/iam.ListAccountAliases_1.json new file mode 100644 index 00000000000..aea4aa3ad0d --- /dev/null +++ b/tests/data/placebo/test_toggle_config_managed_rule/iam.ListAccountAliases_1.json @@ -0,0 +1,10 @@ +{ + "status_code": 200, + "data": { + "AccountAliases": [ + "ajsbx" + ], + "IsTruncated": false, + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/data/placebo/test_toggle_config_managed_rule/iam.ListAccountAliases_2.json b/tests/data/placebo/test_toggle_config_managed_rule/iam.ListAccountAliases_2.json new file mode 100644 index 00000000000..aea4aa3ad0d --- /dev/null +++ b/tests/data/placebo/test_toggle_config_managed_rule/iam.ListAccountAliases_2.json @@ -0,0 +1,10 @@ +{ + "status_code": 200, + "data": { + "AccountAliases": [ + "ajsbx" + ], + "IsTruncated": false, + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/test_account.py b/tests/test_account.py index 524c1b6774e..821a6841cc6 100644 --- a/tests/test_account.py +++ b/tests/test_account.py @@ -1295,6 +1295,103 @@ def test_lakeformation_filter(self): self.assertEqual( resources[0]["c7n:lake-cross-account-s3"], ["testarena.com"]) + def test_toggle_config_managed_rule_validation(self): + policy = { + "name": "enable-config-managed-rule-valid", + "resource": "account", + "actions": [ + { + "type": "toggle-config-managed-rule", + "rule_name": "enable-config-managed-rule", + "rule_prefix": "test-", + "managed_rule_id": "S3_BUCKET_PUBLIC_WRITE_PROHIBITED", + "resource_types": [ + "AWS::S3::Bucket" + ], + } + ] + } + p = self.load_policy(policy) + p.validate() + + # Make the policy invalid + del policy["actions"][0]["managed_rule_id"] + with self.assertRaises( + PolicyValidationError, msg="managed_rule_id required to enable" + ): + p.validate() + + def test_toggle_config_managed_rule(self): + session_factory = self.replay_flight_data("test_toggle_config_managed_rule") + policy = { + "name": "enable-config-managed-rule", + "resource": "account", + "actions": [ + { + "type": "toggle-config-managed-rule", + "rule_name": "enable-config-managed-rule", + "rule_prefix": "test-", + "managed_rule_id": "S3_BUCKET_PUBLIC_WRITE_PROHIBITED", + "resource_types": [ + "AWS::S3::Bucket" + ], + "rule_parameters": "{}", + "remediation": { + "TargetId": "AWS-DisableS3BucketPublicReadWrite", + "Automatic": True, + "MaximumAutomaticAttempts": 5, + "RetryAttemptSeconds": 211, + "Parameters": { + "AutomationAssumeRole": { + "StaticValue": { + "Values": [ + "arn:aws:iam::{account_id}:role/myrole" + ] + } + }, + "S3BucketName": { + "ResourceValue": { + "Value": "RESOURCE_ID" + } + } + } + } + } + ] + } + + # Enable the managed rule + p = self.load_policy( + policy, + session_factory=session_factory, + ) + p.expand_variables(p.get_variables()) + resources = p.run() + self.assertEqual(len(resources), 1) + client = local_session(session_factory).client('config') + resp = client.describe_config_rules( + ConfigRuleNames=['test-enable-config-managed-rule'] + ) + self.assertEqual(len(resp['ConfigRules']), 1) + resp = client.describe_remediation_configurations( + ConfigRuleNames=['test-enable-config-managed-rule'] + ) + self.assertEqual(len(resp['RemediationConfigurations']), 1) + + # Disable the rule we just enabled + policy["actions"][0]["enabled"] = False + p = self.load_policy( + policy, + session_factory=session_factory, + ) + p.expand_variables(p.get_variables()) + resources = p.run() + self.assertEqual(len(resources), 1) + resp = client.describe_config_rules( + ConfigRuleNames=['test-enable-config-managed-rule'] + ) + self.assertEqual(resp['ConfigRules'][0]['ConfigRuleState'], 'DELETING') + @terraform('cloudtrail_success_log_metric_filter') def test_cloudtrail_success_log_metric_filter(test, cloudtrail_success_log_metric_filter): diff --git a/tests/test_config.py b/tests/test_config.py index 8aae0933f90..dee5e32d75d 100644 --- a/tests/test_config.py +++ b/tests/test_config.py @@ -131,3 +131,72 @@ def test_delete(self): "ConfigRules", [] ) self.assertEqual(rules[0]["ConfigRuleState"], "DELETING") + + def test_remediation(self): + session_factory = self.replay_flight_data("test_config_rule_remediation") + p = self.load_policy( + { + "name": "rule", + "resource": "config-rule", + "filters": [ + { + "type": "remediation", + "rule_name": "config-managed-s3-bucket-public-write-remediate-event", + "remediation": { + "TargetId": "AWS-DisableS3BucketPublicReadWrite", + "Automatic": True, + "MaximumAutomaticAttempts": 5, + "RetryAttemptSeconds": 211, + "Parameters": { + "AutomationAssumeRole": { + "StaticValue": { + "Values": [ + "arn:aws:iam::{account_id}:role/myrole" + ] + } + }, + "S3BucketName": { + "ResourceValue": { + "Value": "RESOURCE_ID" + } + } + } + } + } + ], + }, + session_factory=session_factory, + ) + p.expand_variables(p.get_variables()) + resources = p.run() + self.assertEqual(len(resources), 1) + self.assertEqual( + resources[0]['ConfigRuleName'], + 'custodian-config-managed-s3-bucket-public-write-remediate-event' + ) + + def test_remediation_no_results(self): + session_factory = self.replay_flight_data("test_config_rule_remediation") + policy = { + "name": "rule", + "resource": "config-rule", + "filters": [ + { + "type": "remediation", + "rule_name": "i-dont-exist", + } + ] + } + p = self.load_policy(policy, session_factory=session_factory) + resources = p.run() + self.assertEqual(len(resources), 0) + + # Provide a valid rule name match but non-matching remediation config + policy['filters'][0]['rule_name'] = 'config-managed-s3-bucket-public-write-remediate-event' + policy['filters'][0]['remediation'] = { + "TargetId": "intentionally-incorrect-target", + } + p = self.load_policy(policy, session_factory=session_factory) + p.expand_variables(p.get_variables()) + resources = p.run() + self.assertEqual(len(resources), 0)