Yasuke/moto
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Cleanup pulldown script a bit, update managed rules (#4216)

Browse Source 
Co-authored-by: Karri Balk <kbalk@users.noreply.github.com>
This commit is contained in:
kbalk 2021-08-25 10:11:32 -04:00 committed by GitHub
parent 105bf863af
commit f038859a37
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 222 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

170
moto/config/resources/aws_managed_rules.json
View File

@ -145,6 +145,22 @@
], ],
"Trigger type": "Configuration changes" "Trigger type": "Configuration changes"
}, },
"AURORA_RESOURCES_PROTECTED_BY_BACKUP_PLAN": {
"AWS Region": "All supported AWS regions except China (Beijing), Africa (Cape Town), Asia Pacific (Osaka), Europe (Milan), AWS GovCloud (US-East), AWS GovCloud (US-West), US West (Oregon), and China (Ningxia) Region",
"Parameters": [
{
"Name": "resourceTags",
"Optional": true,
"Type": "String"
},
{
"Name": "resourceId",
"Optional": true,
"Type": "String"
}
],
"Trigger type": "Periodic"
},
"AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED": { "AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED": {
"AWS Region": "All supported AWS regions", "AWS Region": "All supported AWS regions",
"Parameters": [], "Parameters": [],
@ -155,6 +171,58 @@
"Parameters": [], "Parameters": [],
"Trigger type": "Configuration changes" "Trigger type": "Configuration changes"
}, },
"BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK": {
"AWS Region": "All supported AWS regions except China (Beijing), Africa (Cape Town), Asia Pacific (Osaka), Europe (Milan), AWS GovCloud (US-East), AWS GovCloud (US-West), US West (Oregon), and China (Ningxia) Region",
"Parameters": [
{
"Default": "1",
"Name": "requiredFrequencyValue",
"Optional": true,
"Type": "int"
},
{
"Default": "35",
"Name": "requiredRetentionDays",
"Optional": true,
"Type": "int"
},
{
"Default": "days",
"Name": "requiredFrequencyUnit",
"Optional": true,
"Type": "String"
}
],
"Trigger type": "Configuration changes"
},
"BACKUP_RECOVERY_POINT_ENCRYPTED": {
"AWS Region": "All supported AWS regions except China (Beijing), Africa (Cape Town), Asia Pacific (Osaka), Europe (Milan), AWS GovCloud (US-East), AWS GovCloud (US-West), US West (Oregon), and China (Ningxia) Region",
"Parameters": [],
"Trigger type": "Configuration changes"
},
"BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED": {
"AWS Region": "All supported AWS regions except China (Beijing), Africa (Cape Town), Asia Pacific (Osaka), Europe (Milan), AWS GovCloud (US-East), AWS GovCloud (US-West), US West (Oregon), and China (Ningxia) Region",
"Parameters": [
{
"Name": "principalArnList",
"Optional": true,
"Type": "CSV"
}
],
"Trigger type": "Configuration changes"
},
"BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK": {
"AWS Region": "All supported AWS regions except China (Beijing), Africa (Cape Town), Asia Pacific (Osaka), Europe (Milan), AWS GovCloud (US-East), AWS GovCloud (US-West), US West (Oregon), and China (Ningxia) Region",
"Parameters": [
{
"Default": "35",
"Name": "requiredRetentionDays",
"Optional": true,
"Type": "int"
}
],
"Trigger type": "Configuration changes"
},
"BEANSTALK_ENHANCED_HEALTH_REPORTING_ENABLED": { "BEANSTALK_ENHANCED_HEALTH_REPORTING_ENABLED": {
"AWS Region": "All supported AWS regions except China (Beijing), China (Ningxia), AWS GovCloud (US-East), AWS GovCloud (US-West), Asia Pacific (Osaka) Region", "AWS Region": "All supported AWS regions except China (Beijing), China (Ningxia), AWS GovCloud (US-East), AWS GovCloud (US-West), Asia Pacific (Osaka) Region",
"Parameters": [], "Parameters": [],
@ -593,6 +661,22 @@
"Parameters": [], "Parameters": [],
"Trigger type": "Configuration changes" "Trigger type": "Configuration changes"
}, },
"DYNAMODB_RESOURCES_PROTECTED_BY_BACKUP_PLAN": {
"AWS Region": "All supported AWS regions except China (Beijing), Africa (Cape Town), Asia Pacific (Osaka), Europe (Milan), AWS GovCloud (US-East), AWS GovCloud (US-West), US West (Oregon), and China (Ningxia) Region",
"Parameters": [
{
"Name": "resourceTags",
"Optional": true,
"Type": "String"
},
{
"Name": "resourceId",
"Optional": true,
"Type": "String"
}
],
"Trigger type": "Periodic"
},
"DYNAMODB_TABLE_ENCRYPTED_KMS": { "DYNAMODB_TABLE_ENCRYPTED_KMS": {
"AWS Region": "All supported AWS regions except Asia Pacific (Osaka) Region", "AWS Region": "All supported AWS regions except Asia Pacific (Osaka) Region",
"Parameters": [ "Parameters": [
@ -637,6 +721,22 @@
"Parameters": [], "Parameters": [],
"Trigger type": "Configuration changes" "Trigger type": "Configuration changes"
}, },
"EBS_RESOURCES_PROTECTED_BY_BACKUP_PLAN": {
"AWS Region": "All supported AWS regions except China (Beijing), Africa (Cape Town), Asia Pacific (Osaka), Europe (Milan), AWS GovCloud (US-East), AWS GovCloud (US-West), US West (Oregon), and China (Ningxia) Region",
"Parameters": [
{
"Name": "resourceTags",
"Optional": true,
"Type": "String"
},
{
"Name": "resourceId",
"Optional": true,
"Type": "String"
}
],
"Trigger type": "Periodic"
},
"EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK": { "EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK": {
"AWS Region": "All supported AWS regions except Asia Pacific (Osaka) Region", "AWS Region": "All supported AWS regions except Asia Pacific (Osaka) Region",
"Parameters": [], "Parameters": [],
@ -773,6 +873,22 @@
], ],
"Trigger type": "Configuration changes" "Trigger type": "Configuration changes"
}, },
"EC2_RESOURCES_PROTECTED_BY_BACKUP_PLAN": {
"AWS Region": "All supported AWS regions except China (Beijing), Africa (Cape Town), Asia Pacific (Osaka), Europe (Milan), AWS GovCloud (US-East), AWS GovCloud (US-West), US West (Oregon), and China (Ningxia) Region",
"Parameters": [
{
"Name": "resourceTags",
"Optional": true,
"Type": "String"
},
{
"Name": "resourceId",
"Optional": true,
"Type": "String"
}
],
"Trigger type": "Periodic"
},
"EC2_SECURITY_GROUP_ATTACHED_TO_ENI": { "EC2_SECURITY_GROUP_ATTACHED_TO_ENI": {
"AWS Region": "All supported AWS regions except Asia Pacific (Osaka) Region", "AWS Region": "All supported AWS regions except Asia Pacific (Osaka) Region",
"Parameters": [], "Parameters": [],
@ -828,6 +944,22 @@
"Parameters": [], "Parameters": [],
"Trigger type": "Periodic" "Trigger type": "Periodic"
}, },
"EFS_RESOURCES_PROTECTED_BY_BACKUP_PLAN": {
"AWS Region": "All supported AWS regions except China (Beijing), Africa (Cape Town), Asia Pacific (Osaka), Europe (Milan), AWS GovCloud (US-East), AWS GovCloud (US-West), US West (Oregon), and China (Ningxia) Region",
"Parameters": [
{
"Name": "resourceTags",
"Optional": true,
"Type": "String"
},
{
"Name": "resourceId",
"Optional": true,
"Type": "String"
}
],
"Trigger type": "Periodic"
},
"EIP_ATTACHED": { "EIP_ATTACHED": {
"AWS Region": "All supported AWS regions", "AWS Region": "All supported AWS regions",
"Parameters": [], "Parameters": [],
@ -1046,7 +1178,7 @@
"Trigger type": "Configuration changes" "Trigger type": "Configuration changes"
}, },
"FMS_WEBACL_RESOURCE_POLICY_CHECK": { "FMS_WEBACL_RESOURCE_POLICY_CHECK": {
"AWS Region": "All supported AWS regions except China (Beijing), China (Ningxia) Region", "AWS Region": "All supported AWS regions",
"Parameters": [ "Parameters": [
{ {
"Name": "webACLId", "Name": "webACLId",
@ -1077,7 +1209,7 @@
"Trigger type": "Configuration changes" "Trigger type": "Configuration changes"
}, },
"FMS_WEBACL_RULEGROUP_ASSOCIATION_CHECK": { "FMS_WEBACL_RULEGROUP_ASSOCIATION_CHECK": {
"AWS Region": "All supported AWS regions except China (Beijing), China (Ningxia) Region", "AWS Region": "All supported AWS regions",
"Parameters": [ "Parameters": [
{ {
"Name": "ruleGroups", "Name": "ruleGroups",
@ -1097,6 +1229,22 @@
], ],
"Trigger type": "Configuration changes" "Trigger type": "Configuration changes"
}, },
"FSX_RESOURCES_PROTECTED_BY_BACKUP_PLAN": {
"AWS Region": "All supported AWS regions except China (Beijing), Africa (Cape Town), Asia Pacific (Osaka), Europe (Milan), AWS GovCloud (US-East), AWS GovCloud (US-West), US West (Oregon), and China (Ningxia) Region",
"Parameters": [
{
"Name": "resourceTags",
"Optional": true,
"Type": "String"
},
{
"Name": "resourceId",
"Optional": true,
"Type": "String"
}
],
"Trigger type": "Periodic"
},
"GUARDDUTY_ENABLED_CENTRALIZED": { "GUARDDUTY_ENABLED_CENTRALIZED": {
"AWS Region": "All supported AWS regions except China (Beijing), China (Ningxia), AWS GovCloud (US-East), Asia Pacific (Osaka), Europe (Milan), Middle East (Bahrain), Africa (Cape Town) Region", "AWS Region": "All supported AWS regions except China (Beijing), China (Ningxia), AWS GovCloud (US-East), Asia Pacific (Osaka), Europe (Milan), Middle East (Bahrain), Africa (Cape Town) Region",
"Parameters": [ "Parameters": [
@ -1533,6 +1681,22 @@
"Parameters": [], "Parameters": [],
"Trigger type": "Configuration changes" "Trigger type": "Configuration changes"
}, },
"RDS_RESOURCES_PROTECTED_BY_BACKUP_PLAN": {
"AWS Region": "All supported AWS regions except China (Beijing), Africa (Cape Town), Asia Pacific (Osaka), Europe (Milan), AWS GovCloud (US-East), AWS GovCloud (US-West), US West (Oregon), and China (Ningxia) Region",
"Parameters": [
{
"Name": "resourceTags",
"Optional": true,
"Type": "String"
},
{
"Name": "resourceId",
"Optional": true,
"Type": "String"
}
],
"Trigger type": "Periodic"
},
"RDS_SNAPSHOTS_PUBLIC_PROHIBITED": { "RDS_SNAPSHOTS_PUBLIC_PROHIBITED": {
"AWS Region": "All supported AWS regions except Asia Pacific (Osaka), Europe (Milan), Africa (Cape Town) Region", "AWS Region": "All supported AWS regions except Asia Pacific (Osaka), Europe (Milan), Africa (Cape Town) Region",
"Parameters": [], "Parameters": [],
@ -2064,7 +2228,7 @@
"Trigger type": "Configuration changes" "Trigger type": "Configuration changes"
}, },
"SSM_DOCUMENT_NOT_PUBLIC": { "SSM_DOCUMENT_NOT_PUBLIC": {
"AWS Region": "All supported AWS regions except China (Beijing), China (Ningxia), AWS GovCloud (US-East), AWS GovCloud (US-West) Region", "AWS Region": "All supported AWS regions",
"Parameters": [], "Parameters": [],
"Trigger type": "Periodic" "Trigger type": "Periodic"
}, },

100
scripts/pull_down_aws_managed_rules.py
View File

@ -40,17 +40,51 @@ AWS_MARKDOWN_URL_START = "https://raw.githubusercontent.com/awsdocs/aws-config-d
LIST_OF_MARKDOWNS_URL = "managed-rules-by-aws-config.md" LIST_OF_MARKDOWNS_URL = "managed-rules-by-aws-config.md"
def managed_rule_info(lines): def extract_param_info(line):
"""Return dict containing parameter info extracted from line."""
# Examples of parameter definitions:
# maxAccessKeyAgeType: intDefault: 90
# IgnorePublicAcls \(Optional\)Type: StringDefault: True
# MasterAccountId \(Optional\)Type: String
# endpointConfigurationTypesType: String
values = re.split(r":\s?", line)
name = values[0]
param_type = values[1]
# If there is no Optional keyword, then sometimes there
# isn't a space between the parameter name and "Type".
name = re.sub("Type$", "", name)
# Sometimes there isn't a space between the type and the
# word "Default".
if "Default" in param_type:
param_type = re.sub("Default$", "", param_type)
optional = False
if "Optional" in line:
optional = True
# Remove "Optional" from the line.
name = name.split()[0]
param_info = {
"Name": name,
"Optional": optional,
"Type": param_type,
}
# A default value isn't always provided.
if len(values) > 2:
param_info["Default"] = values[2]
return param_info
def extract_managed_rule_info(lines):
"""Return dict of qualifiers/rules extracted from a markdown file.""" """Return dict of qualifiers/rules extracted from a markdown file."""
rule_info = {} rule_info = {}
label_pattern = re.compile(r"(?:\*\*)(?P<label>[^\*].*)\:\*\*\s?(?P<value>.*)?") label_pattern = re.compile(r"(?:\*\*)(?P<label>[^\*].*)\:\*\*\s?(?P<value>.*)?")
# Examples of parameter definitions:
# maxAccessKeyAgeType: intDefault: 90
# IgnorePublicAcls \(Optional\)Type: StringDefault: True
# MasterAccountId \(Optional\)Type: String
# endpointConfigurationTypesType: String
#
collecting_params = False collecting_params = False
params = [] params = []
for line in lines: for line in lines:
@ -67,35 +101,7 @@ def managed_rule_info(lines):
break break
if "Type: " in line: if "Type: " in line:
values = re.split(r":\s?", line) params.append(extract_param_info(line))
name = values[0]
param_type = values[1]
# If there is no Optional keyword, then sometimes there
# isn't a space between the parameter name and "Type".
name = re.sub("Type$", "", name)
# Sometimes there isn't a space between the type and the
# word "Default".
if "Default" in param_type:
param_type = re.sub("Default$", "", param_type)
optional = False
if "Optional" in line:
optional = True
# Remove "Optional" from the line.
name = name.split()[0]
values_dict = {
"Name": name,
"Optional": optional,
"Type": param_type,
}
# A default value isn't always provided.
if len(values) > 2:
values_dict["Default"] = values[2]
params.append(values_dict)
continue continue
# Check for a label starting with two asterisks. # Check for a label starting with two asterisks.
@ -103,13 +109,13 @@ def managed_rule_info(lines):
if not matches: if not matches:
continue continue
# Look for "Identifier", "Trigger type", "AWS Region" and "Parameters" # Look for "Identifier", "Trigger type", "AWS Region" and
# labels and store the values for all but parameters. Parameters # "Parameters" labels and store the values for all but parameters.
# values aren't on the same line as labels. # Parameters values aren't on the same line as labels.
label = matches.group("label") label = matches.group("label")
value = matches.group("value") value = matches.group("value")
if label in ["Identifier", "Trigger type", "AWS Region"]: if label in ["Identifier", "Trigger type", "AWS Region"]:
rule_info[label] = value.replace("\\", "") rule_info[label] = value
elif label == "Parameters": elif label == "Parameters":
collecting_params = True collecting_params = True
else: else:
@ -125,15 +131,19 @@ def main():
link_pattern = re.compile(r"\+ \[[^\]]+\]\(([^)]+)\)") link_pattern = re.compile(r"\+ \[[^\]]+\]\(([^)]+)\)")
markdown_files = link_pattern.findall(req.text) markdown_files = link_pattern.findall(req.text)
markdown = {"ManagedRules": {}} # For each of those markdown files, extract the id, region, trigger type
# and parameter information.
managed_rules = {"ManagedRules": {}}
for markdown_file in markdown_files: for markdown_file in markdown_files:
req = requests.get(AWS_MARKDOWN_URL_START + markdown_file) req = requests.get(AWS_MARKDOWN_URL_START + markdown_file)
rules = managed_rule_info(req.text.split("\n")) rules = extract_managed_rule_info(req.text.split("\n"))
rule_id = rules.pop("Identifier")
markdown["ManagedRules"][rule_id] = rules
rule_id = rules.pop("Identifier")
managed_rules["ManagedRules"][rule_id] = rules
# Create a JSON file with the extracted managed rule info.
with open(MANAGED_RULES_OUTPUT_FILENAME, "w") as fhandle: with open(MANAGED_RULES_OUTPUT_FILENAME, "w") as fhandle:
json.dump(markdown, fhandle, sort_keys=True, indent=2) json.dump(managed_rules, fhandle, sort_keys=True, indent=2)
return 0 return 0