Thanks to visit codestin.com
Credit goes to github.com

Skip to content

feat(aws-policies): Add in AWS security account contact query #11729

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 19 commits into from
Jul 5, 2023
Merged

feat(aws-policies): Add in AWS security account contact query #11729

merged 19 commits into from
Jul 5, 2023

Conversation

@jsonpr
Copy link
Contributor

@jsonpr jsonpr commented Jun 23, 2023
edited
Loading

Adding Foundational Security Best Practice Policy - net new policy that we haven't covered for AWS Accounts.

This check looks for the presence of a security contact for each account.

This check tested the following use cases. These cases cover all expected pass and fail use cases for security contacts which are contained within the aws_account_alternate_contact table. These alternate tables can include operations, billing, or security:

  • Account with no alternate contacts (expected fail)
  • Account with only billing or operations and no security contact (expected fail)
  • Account with only a security contact (expected pass)
  • Account with a security contact and other contacts (expected positive)

To do so, I joined this with a table that references the AWS Account. This is not an ideal join, but the query uses aws_iam_accounts to get an idea of the account we're pulling data from. Another option would be to use aws_account_contacts, but that requires assuming that accounts will always have contact information (which should generally be the case). The other tables considered were aws_organizations_accounts but that may not return the data we want due to permissions within the organization and how accounts could be listed depending on visibility.

A couple conditions - updating contact information in AWS requires all fields to be populated. Additionally, a lack of security contact will return no data - so we do a NULL check based off a left join (with iam_accounts as the left table). We remove the non-security contacts in the right join (nested select).

Right now, we pull contact information from the calling AWS Account. It's possible to pull contact information from a delegated administrator or an administrator account. If we revisit that later, this query will need to be updated.

Jason Kao and others added 16 commits June 7, 2023 16:29
add trusted advisor image
09cf1e1
Merge branch 'how-to-service-limits' of https://github.com/jsonpr/clo…
965997c 
…udquery into how-to-service-limits
initial outline skeleton
40d7f53
example scenarios
bd9dcc1
add queries and more text
d4478a0
update content
44c59f2
add queries and different exmaples
47fdca8
add in summary and next steps
d9712d1
disclaimer about s3
1aeeeb5
clean up and add intro
7208247
update opening paragraph
a18c57a
@jsonpr
Merge branch 'main' into how-to-service-limits
67ae683
Merge branch '11712-feat-add-2-account-checks-to-aws-compliance-polic…
bc6dfcd 
…ies' of https://github.com/jsonpr/cloudquery into 11712-feat-add-2-account-checks-to-aws-compliance-policies
add query for aws account security contact
5e89ea1
add account.sql for foundational
77ca7ae
add account.sql to overall foundational policy.sql
92c1ab1
@jsonpr jsonpr requested a review from bbernays June 23, 2023 20:39
@cq-bot cq-bot added the aws label Jun 23, 2023
@jsonpr jsonpr requested a review from erezrokah June 23, 2023 20:40
@cq-bot cq-bot added the website label Jun 23, 2023
@jsonpr jsonpr marked this pull request as draft June 23, 2023 21:52
@jsonpr
Copy link
Contributor Author

jsonpr commented Jul 5, 2023

/gen sha=58dd28a00b8242631a8db68ac5c446695ee28e6a plugin=aws

@jsonpr jsonpr added the automerge Automatically merge once required checks pass label Jul 5, 2023
@jsonpr jsonpr marked this pull request as ready for review July 5, 2023 14:54
@kodiakhq kodiakhq bot merged commit c9d7294 into cloudquery:main Jul 5, 2023
@cq-bot cq-bot mentioned this pull request Jul 5, 2023
Merged
@jsonpr jsonpr mentioned this pull request Jul 6, 2023
Closed
1 task
@jsonpr jsonpr deleted the 11712-feat-add-2-account-checks-to-aws-compliance-policies branch July 6, 2023 13:15
kodiakhq bot pushed a commit that referenced this pull request Jul 12, 2023
@cq-bot
chore(main): Release plugins-source-aws v20.0.0 (#11853)
de84df6 
🤖 I have created a release *beep* *boop*
---


## [20.0.0](plugins-source-aws-v19.2.0...plugins-source-aws-v20.0.0) (2023-07-12)


### ⚠ BREAKING CHANGES

* **aws:** Define primary key for eips ([#11728](#11728))
* Upgrades the awspricing source plugin to use plugin-sdk v4. This version does not contain any user-facing breaking changes, but because it is now using CloudQuery gRPC protocol v3, it does require use of a destination plugin that also supports protocol v3. All recent destination plugin versions support this.

### This Release has the Following Changes to Tables
- Table `aws_ec2_eips`: primary key constraint added to column `account_id` (:warning: breaking)
- Table `aws_ec2_eips`: primary key constraint added to column `allocation_id` (:warning: breaking)
- Table `aws_ec2_eips`: primary key constraint added to column `region` (:warning: breaking)
- Table `aws_ec2_eips`: primary key constraint removed from column `_cq_id` (:warning: breaking)
- Table `aws_networkmanager_global_networks` was added
- Table `aws_networkmanager_links` was added
- Table `aws_networkmanager_sites` was added
- Table `aws_networkmanager_transit_gateway_registrations` was added

### Features

* Add table_options support for aws_securityhub_findings table ([#11955](#11955)) ([c9eff12](c9eff12))
* **aws-policies:** Add in AWS security account contact query ([#11729](#11729)) ([c9d7294](c9d7294))
* **aws-policies:** Add sns logging of delivery status to AWS Policies ([#12074](#12074)) ([80f0b88](80f0b88))
* **aws-policies:** Update sqs encryption for aws foundational security policies ([#11777](#11777)) ([30d415c](30d415c))
* **aws-policies:** Update ssm queries for aws policies ([#12067](#12067)) ([2b9180f](2b9180f))
* **aws-services:** Support newly added regions ([#11922](#11922)) ([6680d7a](6680d7a))
* **aws-services:** Support newly added regions ([#12120](#12120)) ([15ea38c](15ea38c))
* **aws:** Add Support for `ecs:ListTasks` in `table_options` ([#11986](#11986)) ([3016c16](3016c16)), closes [#11981](#11981)
* **aws:** Define primary key for eips ([#11728](#11728)) ([fa48d4a](fa48d4a))
* **aws:** Support networkmanager resources ([#12123](#12123)) ([a642ce0](a642ce0))
* Upgrades the awspricing source plugin to use plugin-sdk v4. This version does not contain any user-facing breaking changes, but because it is now using CloudQuery gRPC protocol v3, it does require use of a destination plugin that also supports protocol v3. All recent destination plugin versions support this. ([7d50d29](7d50d29))


### Bug Fixes

* **aws:** Skip fetching tags for `aws_kafka_cluster_operations` ([#11973](#11973)) ([2b62ba4](2b62ba4))
* **aws:** Validate table relations not just top level table ([#12121](#12121)) ([e13d931](e13d931))
* **deps:** Update github.com/apache/arrow/go/v13 digest to 5a06b2e ([#11857](#11857)) ([43c2f5f](43c2f5f))
* **deps:** Update github.com/cloudquery/arrow/go/v13 digest to 0a52533 ([#12091](#12091)) ([927cefa](927cefa))
* **deps:** Update github.com/cloudquery/arrow/go/v13 digest to a2a76eb ([#12104](#12104)) ([311f474](311f474))
* **deps:** Update github.com/cloudquery/arrow/go/v13 digest to df3b664 ([#11882](#11882)) ([9635b22](9635b22))
* **deps:** Update github.com/cockroachdb/cockroachdb-parser digest to c9c144e ([#11863](#11863)) ([1547efd](1547efd))
* **deps:** Update github.com/cockroachdb/logtags digest to 21c5414 ([#11864](#11864)) ([da48b1f](da48b1f))
* **deps:** Update github.com/gocarina/gocsv digest to 99d496c ([#11865](#11865)) ([c3de686](c3de686))
* **deps:** Update github.com/golang/geo digest to 6adc566 ([#11866](#11866)) ([edb7ed8](edb7ed8))
* **deps:** Update module github.com/aws/aws-sdk-go-v2/service/networkfirewall to v1.28.3 ([#12079](#12079)) ([a27fa21](a27fa21))
* **deps:** Update module github.com/aws/aws-sdk-go-v2/service/securityhub to v1.33.2 ([#12081](#12081)) ([e77f93e](e77f93e))
* **deps:** Update module github.com/aws/aws-sdk-go-v2/service/servicediscovery to v1.21.7 ([#12082](#12082)) ([01f8b59](01f8b59))
* **deps:** Update module github.com/cloudquery/plugin-pb-go to v1.5.0 ([#11850](#11850)) ([3255857](3255857))
* **deps:** Update module github.com/cloudquery/plugin-pb-go to v1.6.0 ([#11916](#11916)) ([421e752](421e752))
* **postgresql:** Rerun release please ([#12002](#12002)) ([9d12843](9d12843))

---
This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bbernays bbernays Awaiting requested review from bbernays

@hermanschaaf hermanschaaf Awaiting requested review from hermanschaaf

@erezrokah erezrokah Awaiting requested review from erezrokah

1 more reviewer

@yevgenypats yevgenypats yevgenypats approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

automerge Automatically merge once required checks pass

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jsonpr @yevgenypats @cq-bot