diff --git a/non-compatible/tests/ecc-aws-005-rds_not_open_to_large_scope/placebo-green/ec2.DescribeSecurityGroups_1.json b/non-compatible/tests/ecc-aws-005-rds_not_open_to_large_scope/placebo-green/ec2.DescribeSecurityGroups_1.json deleted file mode 100644 index b50be5b4b..000000000 --- a/non-compatible/tests/ecc-aws-005-rds_not_open_to_large_scope/placebo-green/ec2.DescribeSecurityGroups_1.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "status_code": 200, - "data": { - "SecurityGroups": [ - { - "Description": "Allow all inbound traffic", - "GroupName": "c7n_005_green", - "IpPermissions": [ - { - "FromPort": 22, - "IpProtocol": "tcp", - "IpRanges": [ - { - "CidrIp": "12.12.12.12/32" - } - ], - "Ipv6Ranges": [], - "PrefixListIds": [], - "ToPort": 22, - "UserIdGroupPairs": [] - } - ], - "OwnerId": "this", - "GroupId": "sg-1212121212121212", - "IpPermissionsEgress": [], - "VpcId": "vpc-12121212" - } - ], - "ResponseMetadata": {} - } -} \ No newline at end of file diff --git a/non-compatible/tests/ecc-aws-005-rds_not_open_to_large_scope/placebo-green/tagging.GetResources_1.json b/non-compatible/tests/ecc-aws-005-rds_not_open_to_large_scope/placebo-green/tagging.GetResources_1.json deleted file mode 100644 index 8b704d185..000000000 --- a/non-compatible/tests/ecc-aws-005-rds_not_open_to_large_scope/placebo-green/tagging.GetResources_1.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "status_code": 200, - "data": { - "PaginationToken": "", - "ResourceTagMappingList": [], - "ResponseMetadata": {} - } -} \ No newline at end of file diff --git a/non-compatible/tests/ecc-aws-005-rds_not_open_to_large_scope/placebo-red/ec2.DescribeSecurityGroups_1.json b/non-compatible/tests/ecc-aws-005-rds_not_open_to_large_scope/placebo-red/ec2.DescribeSecurityGroups_1.json deleted file mode 100644 index 664b3a570..000000000 --- a/non-compatible/tests/ecc-aws-005-rds_not_open_to_large_scope/placebo-red/ec2.DescribeSecurityGroups_1.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "status_code": 200, - "data": { - "SecurityGroups": [ - { - "Description": "Allow all inbound traffic", - "GroupName": "c7n_005_red", - "IpPermissions": [ - { - "FromPort": 22, - "IpProtocol": "tcp", - "IpRanges": [ - { - "CidrIp": "0.0.0.0/0" - } - ], - "Ipv6Ranges": [], - "PrefixListIds": [], - "ToPort": 22, - "UserIdGroupPairs": [] - } - ], - "OwnerId": "this", - "GroupId": "sg-1212121212121212", - "IpPermissionsEgress": [], - "VpcId": "vpc-1212121" - } - ], - "ResponseMetadata": {} - } -} \ No newline at end of file diff --git a/non-compatible/tests/ecc-aws-005-rds_not_open_to_large_scope/placebo-red/tagging.GetResources_1.json b/non-compatible/tests/ecc-aws-005-rds_not_open_to_large_scope/placebo-red/tagging.GetResources_1.json deleted file mode 100644 index 8b704d185..000000000 --- a/non-compatible/tests/ecc-aws-005-rds_not_open_to_large_scope/placebo-red/tagging.GetResources_1.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "status_code": 200, - "data": { - "PaginationToken": "", - "ResourceTagMappingList": [], - "ResponseMetadata": {} - } -} \ No newline at end of file diff --git a/non-compatible/policies/ecc-aws-005-rds_not_open_to_large_scope.yml b/policies/ecc-aws-005-rds_not_open_to_large_scope.yml similarity index 69% rename from non-compatible/policies/ecc-aws-005-rds_not_open_to_large_scope.yml rename to policies/ecc-aws-005-rds_not_open_to_large_scope.yml index ea3b948c2..78e0ed24d 100644 --- a/non-compatible/policies/ecc-aws-005-rds_not_open_to_large_scope.yml +++ b/policies/ecc-aws-005-rds_not_open_to_large_scope.yml @@ -6,14 +6,14 @@ policies: - name: ecc-aws-005-rds_not_open_to_large_scope - comment: '010024062000' + comment: '010042062000' description: | RDS is open to a large scope resource: aws.rds filters: - - type: rds-vpc-filter - key: SecurityGroups[].IpPermissions[].IpRanges[].CidrIp - op: in + - type: security-group + key: '[IpPermissions[].IpRanges[].CidrIp,IpPermissions[].Ipv6Ranges[].CidrIpv6][]' + op: intersect value: - "0.0.0.0/0" - - "::/0" + - "::/0" \ No newline at end of file diff --git a/terraform/ecc-aws-005-rds_not_open_to_large_scope/green/rds.tf b/terraform/ecc-aws-005-rds_not_open_to_large_scope/green/rds.tf index 54f4bd954..b776757c0 100644 --- a/terraform/ecc-aws-005-rds_not_open_to_large_scope/green/rds.tf +++ b/terraform/ecc-aws-005-rds_not_open_to_large_scope/green/rds.tf @@ -1,33 +1,27 @@ -resource "aws_security_group" "this" { - name = "005_security_group_green" - description = "Restrict inbound traffic" - - ingress { - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = ["89.162.139.30/32"] - } -} resource "random_password" "this" { length = 12 + lower = true + min_lower = 1 + upper = true + min_upper = 1 special = true + min_special = 1 numeric = true + min_numeric = 1 override_special = "!#$%*()-_=+[]{}:?" } resource "aws_db_instance" "this" { - identifier = "database-005-green" - engine = "mysql" - engine_version = "5.7" - instance_class = "db.t2.micro" - allocated_storage = 20 - storage_type = "gp2" - db_name = "database005green" - username = "root" - password = random_password.this.result - parameter_group_name = "default.mysql5.7" - skip_final_snapshot = true - vpc_security_group_ids = ["${aws_security_group.this.id}"] + identifier = "database-005-green" + engine = "mysql" + instance_class = "db.t4g.micro" + allocated_storage = 20 + storage_type = "gp2" + username = "root" + password = random_password.this.result + skip_final_snapshot = true + backup_retention_period = 0 + engine_lifecycle_support = "open-source-rds-extended-support-disabled" + vpc_security_group_ids = ["${aws_security_group.this.id}"] } \ No newline at end of file diff --git a/terraform/ecc-aws-005-rds_not_open_to_large_scope/green/vpc.tf b/terraform/ecc-aws-005-rds_not_open_to_large_scope/green/vpc.tf new file mode 100644 index 000000000..b201a8a34 --- /dev/null +++ b/terraform/ecc-aws-005-rds_not_open_to_large_scope/green/vpc.tf @@ -0,0 +1,90 @@ +data "aws_vpc" "default" { + default = true +} + +data "aws_availability_zones" "this" { + state = "available" +} + +data "aws_subnets" "this" { + filter { + name = "vpc-id" + values = [data.aws_vpc.default.id] + } + filter { + name = "availability-zone" + values = data.aws_availability_zones.this.names + } + filter { + name = "map-public-ip-on-launch" + values = ["true"] + } +} + +data "aws_security_group" "this" { + filter { + name = "vpc-id" + values = [data.aws_vpc.default.id] + } + + filter { + name = "group-name" + values = ["default"] + } +} + +resource "aws_security_group" "this" { + name = "005_security_group_green" + description = "Allow all inbound traffic" + + tags = { + Name = "005_security_group_green" + } +} + +resource "aws_vpc_security_group_ingress_rule" "this1" { + security_group_id = aws_security_group.this.id + cidr_ipv4 = data.aws_vpc.default.cidr_block + from_port = 443 + ip_protocol = "tcp" + to_port = 443 +} + +resource "aws_vpc_security_group_egress_rule" "this2" { + security_group_id = aws_security_group.this.id + cidr_ipv4 = "0.0.0.0/0" + ip_protocol = "-1" +} + +resource "aws_vpc_security_group_egress_rule" "this3" { + security_group_id = aws_security_group.this.id + cidr_ipv6 = "::/0" + ip_protocol = "-1" +} + +resource "aws_vpc_security_group_ingress_rule" "this4" { + security_group_id = aws_security_group.this.id + referenced_security_group_id = data.aws_security_group.this.id + from_port = 443 + ip_protocol = "tcp" + to_port = 443 +} + +resource "aws_vpc_security_group_ingress_rule" "this5" { + security_group_id = aws_security_group.this.id + prefix_list_id = aws_ec2_managed_prefix_list.this.id + from_port = 443 + ip_protocol = "tcp" + to_port = 443 +} + +resource "aws_ec2_managed_prefix_list" "this" { + name = "005_prefix_list_green" + address_family = "IPv4" + max_entries = 5 + + entry { + cidr = data.aws_vpc.default.cidr_block + description = "test" + } +} \ No newline at end of file diff --git a/terraform/ecc-aws-005-rds_not_open_to_large_scope/iam/005-policy.json b/terraform/ecc-aws-005-rds_not_open_to_large_scope/iam/005-policy.json index 10c5af4ac..b50b05964 100644 --- a/terraform/ecc-aws-005-rds_not_open_to_large_scope/iam/005-policy.json +++ b/terraform/ecc-aws-005-rds_not_open_to_large_scope/iam/005-policy.json @@ -4,12 +4,10 @@ { "Effect": "Allow", "Action": [ - "tag:GetResources", "rds:DescribeDBInstances", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSecurityGroupRules" + "ec2:DescribeSecurityGroups" ], "Resource": "*" } ] -} +} \ No newline at end of file diff --git a/terraform/ecc-aws-005-rds_not_open_to_large_scope/red/rds.tf b/terraform/ecc-aws-005-rds_not_open_to_large_scope/red/rds.tf deleted file mode 100644 index 591bbb4f8..000000000 --- a/terraform/ecc-aws-005-rds_not_open_to_large_scope/red/rds.tf +++ /dev/null @@ -1,33 +0,0 @@ -resource "aws_security_group" "this" { - name = "005_security_group_red" - description = "Allow all inbound traffic" - - ingress { - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } -} - -resource "random_password" "this" { - length = 12 - special = true - numeric = true - override_special = "!#$%*()-_=+[]{}:?" -} - -resource "aws_db_instance" "this" { - identifier = "database-005-red" - engine = "mysql" - engine_version = "5.7" - instance_class = "db.t2.micro" - allocated_storage = 20 - storage_type = "gp2" - db_name = "database005red" - username = "root" - password = random_password.this.result - parameter_group_name = "default.mysql5.7" - skip_final_snapshot = true - vpc_security_group_ids = ["${aws_security_group.this.id}"] -} \ No newline at end of file diff --git a/terraform/ecc-aws-005-rds_not_open_to_large_scope/red1/provider.tf b/terraform/ecc-aws-005-rds_not_open_to_large_scope/red1/provider.tf index 3c3fcb2fe..58b5dca85 100644 --- a/terraform/ecc-aws-005-rds_not_open_to_large_scope/red1/provider.tf +++ b/terraform/ecc-aws-005-rds_not_open_to_large_scope/red1/provider.tf @@ -7,10 +7,10 @@ terraform { } } -provider "aws"{ +provider "aws" { profile = var.profile region = var.default-region - + default_tags { tags = { CustodianRule = "ecc-aws-005-rds_not_open_to_large_scope" diff --git a/terraform/ecc-aws-005-rds_not_open_to_large_scope/red1/rds.tf b/terraform/ecc-aws-005-rds_not_open_to_large_scope/red1/rds.tf index f372ce1a3..de8e2b31f 100644 --- a/terraform/ecc-aws-005-rds_not_open_to_large_scope/red1/rds.tf +++ b/terraform/ecc-aws-005-rds_not_open_to_large_scope/red1/rds.tf @@ -1,33 +1,27 @@ -resource "aws_security_group" "this" { - name = "005_security_group_red1" - description = "Allow all inbound traffic" - - ingress { - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } -} resource "random_password" "this" { length = 12 + lower = true + min_lower = 1 + upper = true + min_upper = 1 special = true + min_special = 1 numeric = true + min_numeric = 1 override_special = "!#$%*()-_=+[]{}:?" } resource "aws_db_instance" "this" { - identifier = "database-005-red1" - engine = "mysql" - engine_version = "5.7" - instance_class = "db.t2.micro" - allocated_storage = 20 - db_name = "database005red1" - storage_type = "gp2" - username = "root" - password = random_password.this.result - parameter_group_name = "default.mysql5.7" - skip_final_snapshot = true - vpc_security_group_ids = ["${aws_security_group.this.id}"] + identifier = "database-005-red1" + engine = "mysql" + instance_class = "db.t4g.micro" + allocated_storage = 20 + storage_type = "gp2" + username = "root" + password = random_password.this.result + skip_final_snapshot = true + backup_retention_period = 0 + engine_lifecycle_support = "open-source-rds-extended-support-disabled" + vpc_security_group_ids = ["${aws_security_group.this.id}"] } \ No newline at end of file diff --git a/terraform/ecc-aws-005-rds_not_open_to_large_scope/red1/vpc.tf b/terraform/ecc-aws-005-rds_not_open_to_large_scope/red1/vpc.tf new file mode 100644 index 000000000..5ba99b683 --- /dev/null +++ b/terraform/ecc-aws-005-rds_not_open_to_large_scope/red1/vpc.tf @@ -0,0 +1,100 @@ +data "aws_vpc" "default" { + default = true +} + +data "aws_availability_zones" "this" { + state = "available" +} + +data "aws_subnets" "this" { + filter { + name = "vpc-id" + values = [data.aws_vpc.default.id] + } + filter { + name = "availability-zone" + values = data.aws_availability_zones.this.names + } + filter { + name = "map-public-ip-on-launch" + values = ["true"] + } +} + +data "aws_security_group" "this" { + filter { + name = "vpc-id" + values = [data.aws_vpc.default.id] + } + + filter { + name = "group-name" + values = ["default"] + } +} + +resource "aws_security_group" "this" { + name = "005_security_group_red1" + description = "Allow all inbound traffic" + + tags = { + Name = "005_security_group_red1" + } +} + +resource "aws_vpc_security_group_ingress_rule" "this1" { + security_group_id = aws_security_group.this.id + cidr_ipv4 = "0.0.0.0/0" + from_port = 100 + ip_protocol = "tcp" + to_port = 100 +} + +resource "aws_vpc_security_group_ingress_rule" "this2" { + security_group_id = aws_security_group.this.id + cidr_ipv4 = data.aws_vpc.default.cidr_block + from_port = 443 + ip_protocol = "tcp" + to_port = 443 +} + + +resource "aws_vpc_security_group_egress_rule" "this3" { + security_group_id = aws_security_group.this.id + cidr_ipv4 = "0.0.0.0/0" + ip_protocol = "-1" +} + +resource "aws_vpc_security_group_egress_rule" "this4" { + security_group_id = aws_security_group.this.id + cidr_ipv6 = "::/0" + ip_protocol = "-1" +} + +resource "aws_vpc_security_group_ingress_rule" "this5" { + security_group_id = aws_security_group.this.id + referenced_security_group_id = data.aws_security_group.this.id + from_port = 443 + ip_protocol = "tcp" + to_port = 443 +} + +resource "aws_vpc_security_group_ingress_rule" "this6" { + security_group_id = aws_security_group.this.id + prefix_list_id = aws_ec2_managed_prefix_list.this.id + from_port = 443 + ip_protocol = "tcp" + to_port = 443 +} + + +resource "aws_ec2_managed_prefix_list" "this" { + name = "005_prefix_list_red1" + address_family = "IPv4" + max_entries = 5 + + entry { + cidr = data.aws_vpc.default.cidr_block + description = "test" + } +} \ No newline at end of file diff --git a/terraform/ecc-aws-005-rds_not_open_to_large_scope/red/provider.tf b/terraform/ecc-aws-005-rds_not_open_to_large_scope/red2/provider.tf similarity index 79% rename from terraform/ecc-aws-005-rds_not_open_to_large_scope/red/provider.tf rename to terraform/ecc-aws-005-rds_not_open_to_large_scope/red2/provider.tf index 26d6d15a3..ec849b287 100644 --- a/terraform/ecc-aws-005-rds_not_open_to_large_scope/red/provider.tf +++ b/terraform/ecc-aws-005-rds_not_open_to_large_scope/red2/provider.tf @@ -7,14 +7,14 @@ terraform { } } -provider "aws"{ +provider "aws" { profile = var.profile region = var.default-region - + default_tags { tags = { CustodianRule = "ecc-aws-005-rds_not_open_to_large_scope" - ComplianceStatus = "Red" + ComplianceStatus = "Red2" } } } diff --git a/terraform/ecc-aws-005-rds_not_open_to_large_scope/red2/rds.tf b/terraform/ecc-aws-005-rds_not_open_to_large_scope/red2/rds.tf new file mode 100644 index 000000000..579cee81d --- /dev/null +++ b/terraform/ecc-aws-005-rds_not_open_to_large_scope/red2/rds.tf @@ -0,0 +1,27 @@ + +resource "random_password" "this" { + length = 12 + lower = true + min_lower = 1 + upper = true + min_upper = 1 + special = true + min_special = 1 + numeric = true + min_numeric = 1 + override_special = "!#$%*()-_=+[]{}:?" +} + +resource "aws_db_instance" "this" { + identifier = "database-005-red2" + engine = "mysql" + instance_class = "db.t4g.micro" + allocated_storage = 20 + storage_type = "gp2" + username = "root" + password = random_password.this.result + skip_final_snapshot = true + backup_retention_period = 0 + engine_lifecycle_support = "open-source-rds-extended-support-disabled" + vpc_security_group_ids = ["${aws_security_group.this.id}"] +} \ No newline at end of file diff --git a/terraform/ecc-aws-005-rds_not_open_to_large_scope/red/terraform.tfvars b/terraform/ecc-aws-005-rds_not_open_to_large_scope/red2/terraform.tfvars similarity index 100% rename from terraform/ecc-aws-005-rds_not_open_to_large_scope/red/terraform.tfvars rename to terraform/ecc-aws-005-rds_not_open_to_large_scope/red2/terraform.tfvars diff --git a/terraform/ecc-aws-005-rds_not_open_to_large_scope/red/variables.tf b/terraform/ecc-aws-005-rds_not_open_to_large_scope/red2/variables.tf similarity index 100% rename from terraform/ecc-aws-005-rds_not_open_to_large_scope/red/variables.tf rename to terraform/ecc-aws-005-rds_not_open_to_large_scope/red2/variables.tf diff --git a/terraform/ecc-aws-005-rds_not_open_to_large_scope/red2/vpc.tf b/terraform/ecc-aws-005-rds_not_open_to_large_scope/red2/vpc.tf new file mode 100644 index 000000000..58064e956 --- /dev/null +++ b/terraform/ecc-aws-005-rds_not_open_to_large_scope/red2/vpc.tf @@ -0,0 +1,98 @@ +data "aws_vpc" "default" { + default = true +} + +data "aws_availability_zones" "this" { + state = "available" +} + +data "aws_subnets" "this" { + filter { + name = "vpc-id" + values = [data.aws_vpc.default.id] + } + filter { + name = "availability-zone" + values = data.aws_availability_zones.this.names + } + filter { + name = "map-public-ip-on-launch" + values = ["true"] + } +} + +data "aws_security_group" "this" { + filter { + name = "vpc-id" + values = [data.aws_vpc.default.id] + } + + filter { + name = "group-name" + values = ["default"] + } +} + +resource "aws_security_group" "this" { + name = "005_security_group_red2" + description = "Allow all inbound traffic" + + tags = { + Name = "005_security_group_red2" + } +} + +resource "aws_vpc_security_group_ingress_rule" "this1" { + security_group_id = aws_security_group.this.id + cidr_ipv6 = "::/0" + from_port = 100 + ip_protocol = "tcp" + to_port = 100 +} + +resource "aws_vpc_security_group_ingress_rule" "this2" { + security_group_id = aws_security_group.this.id + cidr_ipv4 = data.aws_vpc.default.cidr_block + from_port = 443 + ip_protocol = "tcp" + to_port = 443 +} + +resource "aws_vpc_security_group_egress_rule" "this3" { + security_group_id = aws_security_group.this.id + cidr_ipv4 = "0.0.0.0/0" + ip_protocol = "-1" +} + +resource "aws_vpc_security_group_egress_rule" "this4" { + security_group_id = aws_security_group.this.id + cidr_ipv6 = "::/0" + ip_protocol = "-1" +} + +resource "aws_vpc_security_group_ingress_rule" "this5" { + security_group_id = aws_security_group.this.id + referenced_security_group_id = data.aws_security_group.this.id + from_port = 443 + ip_protocol = "tcp" + to_port = 443 +} + +resource "aws_vpc_security_group_ingress_rule" "this6" { + security_group_id = aws_security_group.this.id + prefix_list_id = aws_ec2_managed_prefix_list.this.id + from_port = 443 + ip_protocol = "tcp" + to_port = 443 +} + +resource "aws_ec2_managed_prefix_list" "this" { + name = "005_prefix_list_red2" + address_family = "IPv4" + max_entries = 5 + + entry { + cidr = data.aws_vpc.default.cidr_block + description = "test" + } +} \ No newline at end of file diff --git a/terraform/ecc-aws-163-rds_database_instance_engine_no_default_ports/green/rds.tf b/terraform/ecc-aws-163-rds_database_instance_engine_no_default_ports/green/rds.tf index 291c22852..235a0c213 100644 --- a/terraform/ecc-aws-163-rds_database_instance_engine_no_default_ports/green/rds.tf +++ b/terraform/ecc-aws-163-rds_database_instance_engine_no_default_ports/green/rds.tf @@ -11,7 +11,7 @@ resource "random_password" "this" { override_special = "!#$%*()-_=+[]{}:?" } -resource "aws_db_instance" "default" { +resource "aws_db_instance" "this" { identifier = "database-163-green" allocated_storage = 10 engine = "mysql" diff --git a/terraform/ecc-aws-163-rds_database_instance_engine_no_default_ports/red/rds.tf b/terraform/ecc-aws-163-rds_database_instance_engine_no_default_ports/red/rds.tf index 2879bbeac..8a60ac6cc 100644 --- a/terraform/ecc-aws-163-rds_database_instance_engine_no_default_ports/red/rds.tf +++ b/terraform/ecc-aws-163-rds_database_instance_engine_no_default_ports/red/rds.tf @@ -11,7 +11,7 @@ resource "random_password" "this" { override_special = "!#$%*()-_=+[]{}:?" } -resource "aws_db_instance" "default" { +resource "aws_db_instance" "this" { identifier = "database-163-red" allocated_storage = 10 engine = "mysql" diff --git a/tests/ecc-aws-005-rds_not_open_to_large_scope/placebo-green/ec2.DescribeSecurityGroups_1.json b/tests/ecc-aws-005-rds_not_open_to_large_scope/placebo-green/ec2.DescribeSecurityGroups_1.json new file mode 100644 index 000000000..df2994c68 --- /dev/null +++ b/tests/ecc-aws-005-rds_not_open_to_large_scope/placebo-green/ec2.DescribeSecurityGroups_1.json @@ -0,0 +1,70 @@ +{ + "status_code": 200, + "data": { + "SecurityGroups": [ + { + "GroupId": "sg-02bd4f805bf716db9", + "IpPermissionsEgress": [ + { + "IpProtocol": "-1", + "UserIdGroupPairs": [], + "IpRanges": [ + { + "CidrIp": "0.0.0.0/0" + } + ], + "Ipv6Ranges": [ + { + "CidrIpv6": "::/0" + } + ], + "PrefixListIds": [] + } + ], + "Tags": [ + { + "Key": "ComplianceStatus", + "Value": "Green" + }, + { + "Key": "CustodianRule", + "Value": "ecc-aws-005-rds_not_open_to_large_scope" + }, + { + "Key": "Name", + "Value": "005_security_group_green" + } + ], + "VpcId": "vpc-0000000", + "OwnerId": "644160558196", + "GroupName": "005_security_group_green", + "Description": "Allow all inbound traffic", + "IpPermissions": [ + { + "IpProtocol": "tcp", + "FromPort": 443, + "ToPort": 443, + "UserIdGroupPairs": [ + { + "UserId": "644160558196", + "GroupId": "sg-0000000" + } + ], + "IpRanges": [ + { + "CidrIp": "172.31.0.0/16" + } + ], + "Ipv6Ranges": [], + "PrefixListIds": [ + { + "PrefixListId": "pl-09dbcccf1648249ab" + } + ] + } + ] + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/non-compatible/tests/ecc-aws-005-rds_not_open_to_large_scope/placebo-green/rds.DescribeDBInstances_1.json b/tests/ecc-aws-005-rds_not_open_to_large_scope/placebo-green/rds.DescribeDBInstances_1.json similarity index 58% rename from non-compatible/tests/ecc-aws-005-rds_not_open_to_large_scope/placebo-green/rds.DescribeDBInstances_1.json rename to tests/ecc-aws-005-rds_not_open_to_large_scope/placebo-green/rds.DescribeDBInstances_1.json index 478682c7b..031f30c0f 100644 --- a/non-compatible/tests/ecc-aws-005-rds_not_open_to_large_scope/placebo-green/rds.DescribeDBInstances_1.json +++ b/tests/ecc-aws-005-rds_not_open_to_large_scope/placebo-green/rds.DescribeDBInstances_1.json @@ -1,132 +1,161 @@ -{ - "status_code": 200, - "data": { - "DBInstances": [ - { - "DBInstanceIdentifier": "terraform-20210713092818720000000001", - "DBInstanceClass": "db.t2.micro", - "Engine": "mysql", - "DBInstanceStatus": "available", - "MasterUsername": "root", - "DBName": "custodian005green", - "Endpoint": { - "Address": "terraform-20210713092818720000000001.chhajgiktbgu.us-east-1.rds.amazonaws.com", - "Port": 3306, - "HostedZoneId": "Z2R2ITUGPM61AM" - }, - "AllocatedStorage": 20, - "InstanceCreateTime": { - "__class__": "datetime", - "year": 2021, - "month": 7, - "day": 13, - "hour": 9, - "minute": 32, - "second": 54, - "microsecond": 318000 - }, - "PreferredBackupWindow": "06:09-06:39", - "BackupRetentionPeriod": 0, - "DBSecurityGroups": [], - "VpcSecurityGroups": [ - { - "VpcSecurityGroupId": "sg-1212121212121212", - "Status": "active" - } - ], - "DBParameterGroups": [ - { - "DBParameterGroupName": "default.mysql5.7", - "ParameterApplyStatus": "in-sync" - } - ], - "AvailabilityZone": "us-east-1a", - "DBSubnetGroup": { - "DBSubnetGroupName": "default", - "DBSubnetGroupDescription": "default", - "VpcId": "vpc-12121212", - "SubnetGroupStatus": "Complete", - "Subnets": [ - { - "SubnetIdentifier": "subnet-121212121", - "SubnetAvailabilityZone": { - "Name": "us-east-1a" - }, - "SubnetOutpost": {}, - "SubnetStatus": "Active" - }, - { - "SubnetIdentifier": "subnet-2121211221", - "SubnetAvailabilityZone": { - "Name": "us-east-1e" - }, - "SubnetOutpost": {}, - "SubnetStatus": "Active" - }, - { - "SubnetIdentifier": "subnet-21212112211", - "SubnetAvailabilityZone": { - "Name": "us-east-1b" - }, - "SubnetOutpost": {}, - "SubnetStatus": "Active" - }, - { - "SubnetIdentifier": "subnet-2121211221112", - "SubnetAvailabilityZone": { - "Name": "us-east-1f" - }, - "SubnetOutpost": {}, - "SubnetStatus": "Active" - }, - { - "SubnetIdentifier": "subnet-2111211221112", - "SubnetAvailabilityZone": { - "Name": "us-east-1d" - }, - "SubnetOutpost": {}, - "SubnetStatus": "Active" - }, - { - "SubnetIdentifier": "subnet-213232311221112", - "SubnetAvailabilityZone": { - "Name": "us-east-1c" - }, - "SubnetOutpost": {}, - "SubnetStatus": "Active" - } - ] - }, - "PreferredMaintenanceWindow": "wed:07:48-wed:08:18", - "PendingModifiedValues": {}, - "MultiAZ": false, - "EngineVersion": "5.7.33", - "AutoMinorVersionUpgrade": true, - "ReadReplicaDBInstanceIdentifiers": [], - "LicenseModel": "general-public-license", - "OptionGroupMemberships": [ - { - "OptionGroupName": "default:mysql-5-7", - "Status": "in-sync" - } - ], - "PubliclyAccessible": false, - "StorageType": "gp2", - "DbInstancePort": 0, - "StorageEncrypted": false, - "DbiResourceId": "db-WVAMDRF6ZEOFKXXIAJKNBEQZCY", - "CACertificateIdentifier": "rds-ca-2019", - "DomainMemberships": [], - "CopyTagsToSnapshot": false, - "MonitoringInterval": 0, - "DBInstanceArn": "arn:aws:rds:us-east-1:this:db:terraform-20210713092818720000000001", - "IAMDatabaseAuthenticationEnabled": false, - "PerformanceInsightsEnabled": false, - "DeletionProtection": false, - "AssociatedRoles": [], - "TagList": [] - } - ], - "ResponseMetadata": {} - } +{ + "status_code": 200, + "data": { + "DBInstances": [ + { + "DBInstanceIdentifier": "database-005-green", + "DBInstanceClass": "db.t4g.micro", + "Engine": "mysql", + "DBInstanceStatus": "available", + "MasterUsername": "root", + "Endpoint": { + "Address": "database-005-green.chggyiwy8hi5.us-east-1.rds.amazonaws.com", + "Port": 3306, + "HostedZoneId": "Z2R2ITUGPM61AM" + }, + "AllocatedStorage": 20, + "InstanceCreateTime": { + "__class__": "datetime", + "year": 2025, + "month": 1, + "day": 30, + "hour": 19, + "minute": 43, + "second": 54, + "microsecond": 510000 + }, + "PreferredBackupWindow": "03:33-04:03", + "BackupRetentionPeriod": 0, + "DBSecurityGroups": [], + "VpcSecurityGroups": [ + { + "VpcSecurityGroupId": "sg-02bd4f805bf716db9", + "Status": "active" + } + ], + "DBParameterGroups": [ + { + "DBParameterGroupName": "default.mysql8.0", + "ParameterApplyStatus": "in-sync" + } + ], + "AvailabilityZone": "us-east-1b", + "DBSubnetGroup": { + "DBSubnetGroupName": "default", + "DBSubnetGroupDescription": "default", + "VpcId": "vpc-0000000", + "SubnetGroupStatus": "Complete", + "Subnets": [ + { + "SubnetIdentifier": "subnet-0000000", + "SubnetAvailabilityZone": { + "Name": "us-east-1b" + }, + "SubnetOutpost": {}, + "SubnetStatus": "Active" + }, + { + "SubnetIdentifier": "subnet-0000000", + "SubnetAvailabilityZone": { + "Name": "us-east-1c" + }, + "SubnetOutpost": {}, + "SubnetStatus": "Active" + }, + { + "SubnetIdentifier": "subnet-0000000", + "SubnetAvailabilityZone": { + "Name": "us-east-1f" + }, + "SubnetOutpost": {}, + "SubnetStatus": "Active" + }, + { + "SubnetIdentifier": "subnet-0000000", + "SubnetAvailabilityZone": { + "Name": "us-east-1a" + }, + "SubnetOutpost": {}, + "SubnetStatus": "Active" + }, + { + "SubnetIdentifier": "subnet-0000000", + "SubnetAvailabilityZone": { + "Name": "us-east-1e" + }, + "SubnetOutpost": {}, + "SubnetStatus": "Active" + }, + { + "SubnetIdentifier": "subnet-0000000", + "SubnetAvailabilityZone": { + "Name": "us-east-1d" + }, + "SubnetOutpost": {}, + "SubnetStatus": "Active" + } + ] + }, + "PreferredMaintenanceWindow": "fri:07:52-fri:08:22", + "PendingModifiedValues": {}, + "MultiAZ": false, + "EngineVersion": "8.0.40", + "AutoMinorVersionUpgrade": true, + "ReadReplicaDBInstanceIdentifiers": [], + "LicenseModel": "general-public-license", + "OptionGroupMemberships": [ + { + "OptionGroupName": "default:mysql-8-0", + "Status": "in-sync" + } + ], + "PubliclyAccessible": false, + "StorageType": "gp2", + "DbInstancePort": 0, + "StorageEncrypted": false, + "DbiResourceId": "db-HZVLHN7L65LJ7XXLEOH7PIELBM", + "CACertificateIdentifier": "rds-ca-rsa2048-g1", + "DomainMemberships": [], + "CopyTagsToSnapshot": false, + "MonitoringInterval": 0, + "DBInstanceArn": "arn:aws:rds:us-east-1:644160558196:db:database-005-green", + "IAMDatabaseAuthenticationEnabled": false, + "PerformanceInsightsEnabled": false, + "DeletionProtection": false, + "AssociatedRoles": [], + "TagList": [ + { + "Key": "CustodianRule", + "Value": "ecc-aws-005-rds_not_open_to_large_scope" + }, + { + "Key": "ComplianceStatus", + "Value": "Green" + } + ], + "CustomerOwnedIpEnabled": false, + "ActivityStreamStatus": "stopped", + "BackupTarget": "region", + "NetworkType": "IPV4", + "StorageThroughput": 0, + "CertificateDetails": { + "CAIdentifier": "rds-ca-rsa2048-g1", + "ValidTill": { + "__class__": "datetime", + "year": 2026, + "month": 1, + "day": 30, + "hour": 19, + "minute": 43, + "second": 5, + "microsecond": 0 + } + }, + "DedicatedLogVolume": false, + "IsStorageConfigUpgradeAvailable": false, + "EngineLifecycleSupport": "open-source-rds-extended-support-disabled" + } + ], + "ResponseMetadata": {} + } } \ No newline at end of file diff --git a/tests/ecc-aws-005-rds_not_open_to_large_scope/placebo-red/ec2.DescribeSecurityGroups_1.json b/tests/ecc-aws-005-rds_not_open_to_large_scope/placebo-red/ec2.DescribeSecurityGroups_1.json new file mode 100644 index 000000000..b23880340 --- /dev/null +++ b/tests/ecc-aws-005-rds_not_open_to_large_scope/placebo-red/ec2.DescribeSecurityGroups_1.json @@ -0,0 +1,98 @@ +{ + "status_code": 200, + "data": { + "SecurityGroups": [ + { + "GroupId": "sg-0dd1423c6065538f1", + "IpPermissionsEgress": [ + { + "IpProtocol": "-1", + "UserIdGroupPairs": [], + "IpRanges": [ + { + "CidrIp": "0.0.0.0/0" + } + ], + "Ipv6Ranges": [ + { + "CidrIpv6": "::/0" + } + ], + "PrefixListIds": [] + } + ], + "Tags": [ + { + "Key": "ComplianceStatus", + "Value": "Red" + }, + { + "Key": "CustodianRule", + "Value": "ecc-aws-005-rds_not_open_to_large_scope" + }, + { + "Key": "Name", + "Value": "005_security_group_red1" + } + ], + "VpcId": "vpc-0000000", + "OwnerId": "644160558196", + "GroupName": "005_security_group_red1", + "Description": "Allow all inbound traffic", + "IpPermissions": [ + { + "IpProtocol": "-1", + "UserIdGroupPairs": [], + "IpRanges": [ + { + "CidrIp": "0.0.0.0/0" + } + ], + "Ipv6Ranges": [], + "PrefixListIds": [] + }, + { + "IpProtocol": "tcp", + "FromPort": 100, + "ToPort": 100, + "UserIdGroupPairs": [], + "IpRanges": [ + { + "CidrIp": "0.0.0.0/0" + } + ], + "Ipv6Ranges": [ + { + "CidrIpv6": "::/0" + } + ], + "PrefixListIds": [] + }, + { + "IpProtocol": "tcp", + "FromPort": 443, + "ToPort": 443, + "UserIdGroupPairs": [ + { + "UserId": "644160558196", + "GroupId": "sg-0000000" + } + ], + "IpRanges": [ + { + "CidrIp": "172.31.0.0/16" + } + ], + "Ipv6Ranges": [], + "PrefixListIds": [ + { + "PrefixListId": "pl-038308fde972936d7" + } + ] + } + ] + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/non-compatible/tests/ecc-aws-005-rds_not_open_to_large_scope/placebo-red/rds.DescribeDBInstances_1.json b/tests/ecc-aws-005-rds_not_open_to_large_scope/placebo-red/rds.DescribeDBInstances_1.json similarity index 59% rename from non-compatible/tests/ecc-aws-005-rds_not_open_to_large_scope/placebo-red/rds.DescribeDBInstances_1.json rename to tests/ecc-aws-005-rds_not_open_to_large_scope/placebo-red/rds.DescribeDBInstances_1.json index 13e02dbb9..bf32e31e4 100644 --- a/non-compatible/tests/ecc-aws-005-rds_not_open_to_large_scope/placebo-red/rds.DescribeDBInstances_1.json +++ b/tests/ecc-aws-005-rds_not_open_to_large_scope/placebo-red/rds.DescribeDBInstances_1.json @@ -1,132 +1,161 @@ -{ - "status_code": 200, - "data": { - "DBInstances": [ - { - "DBInstanceIdentifier": "terraform-20210713092855084100000001", - "DBInstanceClass": "db.t2.micro", - "Engine": "mysql", - "DBInstanceStatus": "available", - "MasterUsername": "root", - "DBName": "custodian005red", - "Endpoint": { - "Address": "terraform-20210713092855084100000001.chhajgiktbgu.us-east-1.rds.amazonaws.com", - "Port": 3306, - "HostedZoneId": "Z2R2ITUGPM61AM" - }, - "AllocatedStorage": 20, - "InstanceCreateTime": { - "__class__": "datetime", - "year": 2021, - "month": 7, - "day": 13, - "hour": 9, - "minute": 33, - "second": 13, - "microsecond": 878000 - }, - "PreferredBackupWindow": "09:16-09:46", - "BackupRetentionPeriod": 0, - "DBSecurityGroups": [], - "VpcSecurityGroups": [ - { - "VpcSecurityGroupId": "sg-1212121212121212", - "Status": "active" - } - ], - "DBParameterGroups": [ - { - "DBParameterGroupName": "default.mysql5.7", - "ParameterApplyStatus": "in-sync" - } - ], - "AvailabilityZone": "us-east-1a", - "DBSubnetGroup": { - "DBSubnetGroupName": "default", - "DBSubnetGroupDescription": "default", - "VpcId": "vpc-1212121", - "SubnetGroupStatus": "Complete", - "Subnets": [ - { - "SubnetIdentifier": "subnet-12121212", - "SubnetAvailabilityZone": { - "Name": "us-east-1a" - }, - "SubnetOutpost": {}, - "SubnetStatus": "Active" - }, - { - "SubnetIdentifier": "subnet-121212122", - "SubnetAvailabilityZone": { - "Name": "us-east-1e" - }, - "SubnetOutpost": {}, - "SubnetStatus": "Active" - }, - { - "SubnetIdentifier": "subnet-1212121222", - "SubnetAvailabilityZone": { - "Name": "us-east-1b" - }, - "SubnetOutpost": {}, - "SubnetStatus": "Active" - }, - { - "SubnetIdentifier": "subnet-121212122212", - "SubnetAvailabilityZone": { - "Name": "us-east-1f" - }, - "SubnetOutpost": {}, - "SubnetStatus": "Active" - }, - { - "SubnetIdentifier": "subnet-12121212221212", - "SubnetAvailabilityZone": { - "Name": "us-east-1d" - }, - "SubnetOutpost": {}, - "SubnetStatus": "Active" - }, - { - "SubnetIdentifier": "subnet-1212121222121212", - "SubnetAvailabilityZone": { - "Name": "us-east-1c" - }, - "SubnetOutpost": {}, - "SubnetStatus": "Active" - } - ] - }, - "PreferredMaintenanceWindow": "thu:07:09-thu:07:39", - "PendingModifiedValues": {}, - "MultiAZ": false, - "EngineVersion": "5.7.33", - "AutoMinorVersionUpgrade": true, - "ReadReplicaDBInstanceIdentifiers": [], - "LicenseModel": "general-public-license", - "OptionGroupMemberships": [ - { - "OptionGroupName": "default:mysql-5-7", - "Status": "in-sync" - } - ], - "PubliclyAccessible": false, - "StorageType": "gp2", - "DbInstancePort": 0, - "StorageEncrypted": false, - "DbiResourceId": "db-CISH6ALDSYRPSNPEQVOXXQSH2Q", - "CACertificateIdentifier": "rds-ca-2019", - "DomainMemberships": [], - "CopyTagsToSnapshot": false, - "MonitoringInterval": 0, - "DBInstanceArn": "arn:aws:rds:us-east-1:this:db:terraform-20210713092855084100000001", - "IAMDatabaseAuthenticationEnabled": false, - "PerformanceInsightsEnabled": false, - "DeletionProtection": false, - "AssociatedRoles": [], - "TagList": [] - } - ], - "ResponseMetadata": {} - } +{ + "status_code": 200, + "data": { + "DBInstances": [ + { + "DBInstanceIdentifier": "database-005-red1", + "DBInstanceClass": "db.t4g.micro", + "Engine": "mysql", + "DBInstanceStatus": "available", + "MasterUsername": "root", + "Endpoint": { + "Address": "database-005-red1.chggyiwy8hi5.us-east-1.rds.amazonaws.com", + "Port": 3306, + "HostedZoneId": "Z2R2ITUGPM61AM" + }, + "AllocatedStorage": 20, + "InstanceCreateTime": { + "__class__": "datetime", + "year": 2025, + "month": 1, + "day": 30, + "hour": 18, + "minute": 42, + "second": 1, + "microsecond": 280000 + }, + "PreferredBackupWindow": "09:16-09:46", + "BackupRetentionPeriod": 0, + "DBSecurityGroups": [], + "VpcSecurityGroups": [ + { + "VpcSecurityGroupId": "sg-0dd1423c6065538f1", + "Status": "active" + } + ], + "DBParameterGroups": [ + { + "DBParameterGroupName": "default.mysql8.0", + "ParameterApplyStatus": "in-sync" + } + ], + "AvailabilityZone": "us-east-1c", + "DBSubnetGroup": { + "DBSubnetGroupName": "default", + "DBSubnetGroupDescription": "default", + "VpcId": "vpc-0000000", + "SubnetGroupStatus": "Complete", + "Subnets": [ + { + "SubnetIdentifier": "subnet-0000000", + "SubnetAvailabilityZone": { + "Name": "us-east-1b" + }, + "SubnetOutpost": {}, + "SubnetStatus": "Active" + }, + { + "SubnetIdentifier": "subnet-0000000", + "SubnetAvailabilityZone": { + "Name": "us-east-1c" + }, + "SubnetOutpost": {}, + "SubnetStatus": "Active" + }, + { + "SubnetIdentifier": "subnet-0000000", + "SubnetAvailabilityZone": { + "Name": "us-east-1f" + }, + "SubnetOutpost": {}, + "SubnetStatus": "Active" + }, + { + "SubnetIdentifier": "subnet-0000000", + "SubnetAvailabilityZone": { + "Name": "us-east-1a" + }, + "SubnetOutpost": {}, + "SubnetStatus": "Active" + }, + { + "SubnetIdentifier": "subnet-0000000", + "SubnetAvailabilityZone": { + "Name": "us-east-1e" + }, + "SubnetOutpost": {}, + "SubnetStatus": "Active" + }, + { + "SubnetIdentifier": "subnet-0000000", + "SubnetAvailabilityZone": { + "Name": "us-east-1d" + }, + "SubnetOutpost": {}, + "SubnetStatus": "Active" + } + ] + }, + "PreferredMaintenanceWindow": "sun:04:07-sun:04:37", + "PendingModifiedValues": {}, + "MultiAZ": false, + "EngineVersion": "8.0.40", + "AutoMinorVersionUpgrade": true, + "ReadReplicaDBInstanceIdentifiers": [], + "LicenseModel": "general-public-license", + "OptionGroupMemberships": [ + { + "OptionGroupName": "default:mysql-8-0", + "Status": "in-sync" + } + ], + "PubliclyAccessible": false, + "StorageType": "gp2", + "DbInstancePort": 0, + "StorageEncrypted": false, + "DbiResourceId": "db-X6DMI3OI2BD5ZFSWZ5OKTWOQWQ", + "CACertificateIdentifier": "rds-ca-rsa2048-g1", + "DomainMemberships": [], + "CopyTagsToSnapshot": false, + "MonitoringInterval": 0, + "DBInstanceArn": "arn:aws:rds:us-east-1:644160558196:db:database-005-red1", + "IAMDatabaseAuthenticationEnabled": false, + "PerformanceInsightsEnabled": false, + "DeletionProtection": false, + "AssociatedRoles": [], + "TagList": [ + { + "Key": "CustodianRule", + "Value": "ecc-aws-005-rds_not_open_to_large_scope" + }, + { + "Key": "ComplianceStatus", + "Value": "Red" + } + ], + "CustomerOwnedIpEnabled": false, + "ActivityStreamStatus": "stopped", + "BackupTarget": "region", + "NetworkType": "IPV4", + "StorageThroughput": 0, + "CertificateDetails": { + "CAIdentifier": "rds-ca-rsa2048-g1", + "ValidTill": { + "__class__": "datetime", + "year": 2026, + "month": 1, + "day": 30, + "hour": 18, + "minute": 41, + "second": 11, + "microsecond": 0 + } + }, + "DedicatedLogVolume": false, + "IsStorageConfigUpgradeAvailable": false, + "EngineLifecycleSupport": "open-source-rds-extended-support-disabled" + } + ], + "ResponseMetadata": {} + } } \ No newline at end of file diff --git a/non-compatible/tests/ecc-aws-005-rds_not_open_to_large_scope/red_policy_test.py b/tests/ecc-aws-005-rds_not_open_to_large_scope/red_policy_test.py similarity index 100% rename from non-compatible/tests/ecc-aws-005-rds_not_open_to_large_scope/red_policy_test.py rename to tests/ecc-aws-005-rds_not_open_to_large_scope/red_policy_test.py