-
Notifications
You must be signed in to change notification settings - Fork 8
DoD for Open Rules
* DoD (Definition of Done)
- Create Terraform script
-
Create static rule
2.1. Reverse rules - Write Python test
- Create a file with minimal permissions
In order to test the rules, we create two infrastructures using Terraform – red and green.
The green one is used to check that rule returns 0 resources, when there are no resources that violate the rule. There can be several green infrastructures to check each case that can happen when we use our rules to scan customers' cloud infrastructure.
The red one is used to check that rule returns 1 resource, when there is a resource that violates the rule. There can be several red infrastructures to check each case that can happen when we use our rules to scan customers' cloud infrastructure.
These terraform scripts must be written in accordance with this guide – Terraform - Guide. You should add comments to scripts if some steps must be done manually, or if you think these comments can help others to run terraform infrastructure successfully as it was designed.
⚠️ Warning: Before applying terraform, you must check the cost of resources that you are creating.
Use the cheapest configuration for resources that you create and do not forget to shut them down when you no longer need them.
Sometimes they can be expensive and you should work quickly to avoid spending a lot of money. In this case, it's better to prepare a rule and test file in advance.
Rules name convention - see here
A policy should have the following format:
policies:
- name: ecc-[cloud]-[id]-[rule_name]
resource: [cloud].[resource_name]
description: |
[Policy description in case a resource(-s) found]
filters:
...Click here to expand an example...
policies:
- name: ecc-aws-080-bucket_policy_allows_https_requests
resource: aws.s3
description: |
S3 Bucket Policy allows HTTP requests
filters:
...Check that rule works. Deploy green and red terraform infrastructure and run a rule.
From time to time, we come across rules that do not require to return all resources that violate a rule, but return an AWS account that does not have at least ONE resource that satisfies all conditions in a rule.
These rules have resource set to aws.account and return 0 accounts for green infrastructure and a maximum of 1 for the red one. We use custom filters for this purpose.
An example of such rule is:
In this example, rule checks that at least ONE RDS Event subscription matches all checks, otherwise it returns 1 resource - an ID of an AWS account that doesn't have RDS event notifications subscription configured for database parameter group events.
policies:
- name: ecc-aws-303-rds_database_parameter_group_events_notification_exists
resource: aws.account
description: |
RDS event notifications subscription is not configured for database parameter group events
filters:
- type: rds-sns-subscription-filter
check_in: rds
key: SourceType=='db-parameter-group' && SourceIdsList==null && ( EventCategoriesList==null || EventCategoriesList.contains(@, 'configuration change')==\`true\`) && Enabled==\`true\`
value: true
op: eqFollow this guide - Python unit tests
Create a file with minimal permissions for running the rule.
Update iam/All-permissions.json file, make sure there are no duplicates