upd: update policies 283, 434, 461, 508, 536, 549, 598

Policies that check the latest or deprecated versions has been updated to reflect the latest changes in the cloud provider.

policies/ecc-aws-283-elasticsearch_latest_version.yml

@@ -9,10 +9,10 @@ policies:
   - name: ecc-aws-283-elasticsearch_latest_version
     comment: '010021052000'
     description: |
-      ElasticSearch is not using the latest OpenSearch version
+      OpenSearch is not using the latest engine version
     resource: elasticsearch
     filters:
       - not:
           - type: value
             key: ElasticsearchVersion
-            value: 'OpenSearch_2.11'
+            value: 'OpenSearch_2.15'

policies/ecc-aws-434-mq_broker_latest_version.yml

@@ -18,15 +18,15 @@ policies:
                   - type: value
                     key: EngineVersion
                     op: regex
-                    value: 3.12.*
+                    value: 3.13.*
                   - type: value
                     key: EngineType
                     value: RabbitMQ
               - and:
                   - type: value
                     key: EngineVersion
                     op: regex
-                    value: 5.17.*
+                    value: 5.18.*
                   - type: value
                     key: EngineType
                     value: ActiveMQ

policies/ecc-aws-461-lambda_latest_runtime_environment_version.yml

@@ -15,8 +15,12 @@ policies:
       - type: value
         key: PackageType
         value: Zip
+      - type: value
+        key: Runtime
+        op: in
+        value: [nodejs18.x, python3.11, python3.10, python3.9, java17, java11, java8.al2, dotnet6, ruby3.2, provided.al2]
       - not:
           - type: value
             key: Runtime
             op: regex
-            value: '(nodejs20.x|python3.12|java21|dotnetcore3.1|dotnet6|go1.x|ruby3.2)'
+            value: '(nodejs20\.x|python3\.12|java21|provided\.al2023|dotnet8|ruby3\.3)'

policies/ecc-aws-508-mwaa_latest_version.yml

@@ -15,4 +15,4 @@ policies:
       - not:
           - type: value
             key: AirflowVersion
-            value: '2.9.2'
+            value: '2.10.1'

policies/ecc-aws-536-lambda_function_settings_check.yml

@@ -9,7 +9,7 @@ policies:
   - name: ecc-aws-536-lambda_function_settings_check
     comment: '010028030400'
     description: |
-      Lambda functions should not use no longer supported runtimes
+      Lambda functions should not use deprecated runtimes
     resource: aws.lambda
     filters:
       - type: value
@@ -19,4 +19,4 @@ policies:
           - type: value
             key: Runtime
             op: in
-            value: [dotnet8, dotnet6, java21, java17, java11, java8.al2, nodejs20.x, nodejs18.x, nodejs16.x, python3.12, python3.11, python3.10, python3.9, python3.8, ruby3.3, ruby3.2]
+            value: [nodejs20.x, nodejs18.x, python3.12, python3.11, python3.10, python3.9, java21, java17, java11, java8.al2, dotnet8, dotnet6, ruby3.3, ruby3.2, provided.al2023, provided.al2]

policies/ecc-aws-549-ec2_instance_previous_generation.yml

@@ -19,4 +19,4 @@ policies:
       - type: value
         key: InstanceType
         op: regex
-        value: '(m1|m2|m3|m4|t1|c1|c2|c3|i2|cr1|r3|r4|hs1|g2|a1|d2).[^\s]+'
+        value: '(m1|m2|m3|m4|t1|c1|c2|c3|c4|cc2|i2|cr1|r3|r4|hs1|g2|a1|d2).[^\s]+'

policies/ecc-aws-598-redshift_instance_generation.yml

@@ -15,4 +15,4 @@ policies:
       - type: value
         key: NodeType
         op: regex
-        value: '(dc1|ds2).[^\s]+'
+        value: '(dc1|ds1|ds2).[^\s]+'

terraform/ecc-aws-283-elasticsearch_latest_version/green/elasticsearch.tf

@@ -1,6 +1,8 @@
+# takes about 20 min to deploy
+
 resource "aws_elasticsearch_domain" "this" {
   domain_name           = "elasticsearch-283-green"
-  elasticsearch_version = "OpenSearch_2.11"
+  elasticsearch_version = "OpenSearch_2.15"
 
   ebs_options {
     ebs_enabled = true

terraform/ecc-aws-283-elasticsearch_latest_version/red/elasticsearch.tf

@@ -1,3 +1,5 @@
+# takes about 20 min to deploy
+
 resource "aws_elasticsearch_domain" "this" {
   domain_name           = "elasticsearch-283-red"
   elasticsearch_version = "7.4"

terraform/ecc-aws-434-mq_broker_latest_version/green/mq.tf

@@ -1,8 +1,11 @@
+# takes about 10 min to deploy
+
 resource "aws_mq_broker" "this" {
   broker_name = "mq-broker-active-434-green"
   engine_type                = "ActiveMQ"
-  engine_version             = "5.17.6"
+  engine_version             = "5.18"
   host_instance_type         = "mq.t2.micro"
+  auto_minor_version_upgrade = true
 
   user {
     username = "root"
@@ -13,9 +16,10 @@ resource "aws_mq_broker" "this" {
 resource "aws_mq_broker" "this1" {
   broker_name = "mq-broker-rabbit-434-green"
   engine_type                = "RabbitMQ"
-  engine_version             = "3.12.13"
+  engine_version             = "3.13"
   host_instance_type         = "mq.t3.micro"
   publicly_accessible        = true
+  auto_minor_version_upgrade = true
   user {
     username = "root"
     password = random_password.this.result

terraform/ecc-aws-434-mq_broker_latest_version/red/mq.tf

@@ -1,7 +1,9 @@
+# takes about 10 min to deploy
+
 resource "aws_mq_broker" "this" {
   broker_name                = "mq-broker-active-434-red"
   engine_type                = "ActiveMQ"
-  engine_version             = "5.15.9"
+  engine_version             = "5.17.6"
   host_instance_type         = "mq.t2.micro"
 
   user {
@@ -13,7 +15,7 @@ resource "aws_mq_broker" "this" {
 resource "aws_mq_broker" "this1" {
   broker_name                = "mq-broker-rabbit-434-red"
   engine_type                = "RabbitMQ"
-  engine_version             = "3.8.30"
+  engine_version             = "3.11.28"
   host_instance_type         = "mq.t3.micro"
   publicly_accessible        = true
   user {

terraform/ecc-aws-508-mwaa_latest_version/green/mwaa.tf

@@ -1,3 +1,5 @@
+# takes 30 min to deploy, 20 min to destroy
+
 resource "aws_mwaa_environment" "this" {
   dag_s3_path        = "dags/"
   execution_role_arn = aws_iam_role.this.arn

terraform/ecc-aws-508-mwaa_latest_version/green/provider.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4"
+      version = "~> 5"
     }
   }
 }

terraform/ecc-aws-508-mwaa_latest_version/green/vpc.tf

@@ -40,11 +40,11 @@ resource "aws_subnet" "private2" {
 }
 
 resource "aws_eip" "this1" {
-  vpc        = true
+  domain   = "vpc"
   depends_on = [aws_internet_gateway.this]
 }
 resource "aws_eip" "this2" {
-  vpc        = true
+  domain   = "vpc"
   depends_on = [aws_internet_gateway.this]
 }
 

terraform/ecc-aws-508-mwaa_latest_version/red/mwaa.tf

@@ -1,9 +1,11 @@
+# takes 30 min to deploy, 20 min to destroy
+
 resource "aws_mwaa_environment" "this" {
   dag_s3_path        = "dags/"
   execution_role_arn = aws_iam_role.this.arn
   name               = "mwaa_508_red"
   max_workers        = 1
-  airflow_version    = "2.0.2"
+  airflow_version    = "2.8.1"
   network_configuration {
     security_group_ids = [aws_security_group.this.id]
     subnet_ids         = [aws_subnet.private1.id, aws_subnet.private2.id]

terraform/ecc-aws-508-mwaa_latest_version/red/provider.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4"
+      version = "~> 5"
     }
   }
 }

terraform/ecc-aws-508-mwaa_latest_version/red/vpc.tf

@@ -40,11 +40,11 @@ resource "aws_subnet" "private2" {
 }
 
 resource "aws_eip" "this1" {
-  vpc        = true
+  domain   = "vpc"
   depends_on = [aws_internet_gateway.this]
 }
 resource "aws_eip" "this2" {
-  vpc        = true
+  domain   = "vpc"
   depends_on = [aws_internet_gateway.this]
 }
 

terraform/ecc-aws-536-lambda_function_settings_check/green/lambda.tf

@@ -47,5 +47,5 @@ resource "aws_lambda_function" "this" {
   function_name                  = "536_lambda_green"
   role                           = aws_iam_role.this.arn
   handler                        = "func.py"
-  runtime                        = "python3.8"
+  runtime                        = "python3.12"
 }

terraform/ecc-aws-536-lambda_function_settings_check/red/lambda.tf

@@ -0,0 +1,51 @@
+resource "aws_iam_role" "this" {
+  name = "536_role_red"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "lambda.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "this" {
+  name = "536_policy_red"
+  role = aws_iam_role.this.id
+
+  policy = <<-EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ec2:DescribeNetworkInterfaces",
+                "ec2:CreateNetworkInterface",
+                "ec2:DeleteNetworkInterface",
+                "ec2:DescribeInstances",
+                "ec2:AttachNetworkInterface"
+                ],
+            "Resource": "*"
+        }
+    ]
+}
+  EOF
+}
+
+resource "aws_lambda_function" "this" {
+  filename      = "func.zip"
+  function_name = "536_lambda_red"
+  role          = aws_iam_role.this.arn
+  handler       = "lambda.py"
+  runtime       = "python3.8"
+}

terraform/ecc-aws-536-lambda_function_settings_check/red/provider.tf

@@ -0,0 +1,20 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5"
+    }
+  }
+}
+
+provider "aws" {
+  profile = var.profile
+  region  = var.default-region
+
+  default_tags {
+    tags = {
+      CustodianRule    = "ecc-aws-536-lambda_function_settings_check"
+      ComplianceStatus = "Red"
+    }
+  }
+}

terraform/ecc-aws-536-lambda_function_settings_check/red/terraform.tfvars

@@ -0,0 +1,2 @@
+profile        = "c7n"
+default-region = "us-east-1"

terraform/ecc-aws-536-lambda_function_settings_check/red/variables.tf

@@ -0,0 +1,9 @@
+variable "default-region" {
+  type        = string
+  description = "Default region for resources will be created"
+}
+
+variable "profile" {
+  type        = string
+  description = "Profile name configured before running apply"
+}