Skip to content

Commit fc5eda9

Browse files
olegsuolegsu
authored
Merge branch 'main' into health-status-agent-v2
2 parents 1ebe7b9 + ac69988 commit fc5eda9

File tree

11 files changed

+1070
-39
lines changed

11 files changed

+1070
-39
lines changed

deploy/aws/cloudbeat-aws.yml

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
cloudbeat:
22
type: cloudbeat/cis_aws
3-
access_key_id: ""
4-
secret_access_key: ""
3+
access_key_id: ${AWS_ACCESS_KEY_ID:""}
4+
secret_access_key: ${AWS_SECRET_ACCESS_KEY:""}
55
# Defines how often an event is sent to the output
66
period: 30s
77
fetchers:
@@ -13,6 +13,9 @@ cloudbeat:
1313
cis_aws:
1414
- cis_1_8
1515
- cis_1_9
16+
- cis_1_10
17+
- cis_1_11
18+
- cis_1_13
1619
# =================================== Kibana ===================================
1720
setup.kibana:
1821

resources/fetchers/iam_fetcher.go

Lines changed: 22 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -44,27 +44,40 @@ type IAMResource struct {
4444
identity *awslib.Identity
4545
}
4646

47+
// Fetch collects IAM resources, such as password-policy and IAM users.
48+
// The resources are enriched by the provider and being send to evaluation.
4749
func (f IAMFetcher) Fetch(ctx context.Context, cMetadata fetching.CycleMetadata) error {
4850
f.log.Debug("Starting IAMFetcher.Fetch")
51+
iamResources := make([]awslib.AwsResource, 0)
4952

5053
pwdPolicy, err := f.iamProvider.GetPasswordPolicy(ctx)
5154
if err != nil {
52-
return err
55+
f.log.Errorf("Unable to fetch PasswordPolicy, error: %v", err)
56+
} else {
57+
iamResources = append(iamResources, pwdPolicy)
5358
}
5459

55-
f.resourceCh <- fetching.ResourceInfo{
56-
Resource: IAMResource{
57-
AwsResource: pwdPolicy,
58-
identity: f.cloudIdentity,
59-
},
60-
CycleMetadata: cMetadata,
60+
users, err := f.iamProvider.GetUsers(ctx)
61+
if err != nil {
62+
f.log.Errorf("Unable to fetch IAM users, error: %v", err)
63+
} else {
64+
iamResources = append(iamResources, users...)
65+
}
66+
67+
for _, iamResource := range iamResources {
68+
f.resourceCh <- fetching.ResourceInfo{
69+
Resource: IAMResource{
70+
AwsResource: iamResource,
71+
identity: f.cloudIdentity,
72+
},
73+
CycleMetadata: cMetadata,
74+
}
6175
}
6276

6377
return nil
6478
}
6579

66-
func (f IAMFetcher) Stop() {
67-
}
80+
func (f IAMFetcher) Stop() {}
6881

6982
func (r IAMResource) GetData() any {
7083
return r.AwsResource

resources/fetchers/iam_fetcher_test.go

Lines changed: 56 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,7 @@ import (
2727
"github.com/pkg/errors"
2828
"github.com/stretchr/testify/suite"
2929
"testing"
30+
"time"
3031
)
3132

3233
type IamFetcherTestSuite struct {
@@ -36,10 +37,7 @@ type IamFetcherTestSuite struct {
3637
resourceCh chan fetching.ResourceInfo
3738
}
3839

39-
type IamProviderReturnVals struct {
40-
pwdPolicy awslib.AwsResource
41-
err error
42-
}
40+
type mocksReturnVals map[string][]any
4341

4442
func TestIamFetcherTestSuite(t *testing.T) {
4543
s := new(IamFetcherTestSuite)
@@ -60,7 +58,8 @@ func (s *IamFetcherTestSuite) TearDownTest() {
6058
close(s.resourceCh)
6159
}
6260

63-
func (s *IamFetcherTestSuite) TestIamFetcherFetch() {
61+
func (s *IamFetcherTestSuite) TestIamFetcher_Fetch() {
62+
testAccount := "test-account"
6463
pwdPolicy := iam.PasswordPolicy{
6564
ReusePreventionCount: 5,
6665
RequireLowercase: true,
@@ -71,25 +70,59 @@ func (s *IamFetcherTestSuite) TestIamFetcherFetch() {
7170
MinimumLength: 8,
7271
}
7372

74-
testAccount := "test-account"
73+
iamUser := iam.User{
74+
Name: "test",
75+
AccessKeys: []iam.AccessKey{{
76+
AccessKeyId: "",
77+
Active: false,
78+
CreationDate: time.Time{},
79+
LastAccess: time.Time{},
80+
HasUsed: false},
81+
},
82+
MFADevices: nil,
83+
LastAccess: time.Time{},
84+
Arn: "testArn",
85+
HasLoggedIn: false,
86+
}
7587

7688
var tests = []struct {
77-
mockReturnVal IamProviderReturnVals
89+
name string
90+
mocksReturnVals mocksReturnVals
7891
account string
7992
numExpectedResults int
8093
}{
8194
{
82-
mockReturnVal: IamProviderReturnVals{
83-
pwdPolicy: pwdPolicy,
84-
err: nil,
95+
name: "Should get password policy and an IAM user",
96+
mocksReturnVals: mocksReturnVals{
97+
"GetPasswordPolicy": {pwdPolicy, nil},
98+
"GetUsers": {[]awslib.AwsResource{iamUser}, nil},
99+
},
100+
account: testAccount,
101+
numExpectedResults: 2,
102+
},
103+
{
104+
name: "Receives only an IAM user due to an error in GetPasswordPolicy",
105+
mocksReturnVals: mocksReturnVals{
106+
"GetPasswordPolicy": {nil, errors.New("Fail to fetch pwd policy")},
107+
"GetUsers": {[]awslib.AwsResource{iamUser}, nil},
85108
},
86109
account: testAccount,
87110
numExpectedResults: 1,
88111
},
89112
{
90-
mockReturnVal: IamProviderReturnVals{
91-
pwdPolicy: nil,
92-
err: errors.New("Fail to fetch pwd policy"),
113+
name: "Should get only a password policy resource due to an error in GetUsers",
114+
mocksReturnVals: mocksReturnVals{
115+
"GetPasswordPolicy": {pwdPolicy, nil},
116+
"GetUsers": {nil, errors.New("Fail to fetch iam users")},
117+
},
118+
account: testAccount,
119+
numExpectedResults: 1,
120+
},
121+
{
122+
name: "Should not get any IAM resources",
123+
mocksReturnVals: mocksReturnVals{
124+
"GetPasswordPolicy": {nil, errors.New("Fail to fetch pwd policy")},
125+
"GetUsers": {nil, errors.New("Fail to fetch iam users")},
93126
},
94127
account: testAccount,
95128
numExpectedResults: 0,
@@ -101,12 +134,14 @@ func (s *IamFetcherTestSuite) TestIamFetcherFetch() {
101134
AwsBaseFetcherConfig: fetching.AwsBaseFetcherConfig{},
102135
}
103136

104-
iamProvider := &iam.MockAccessManagement{}
105-
iamProvider.EXPECT().GetPasswordPolicy(context.TODO()).Return(test.mockReturnVal.pwdPolicy, test.mockReturnVal.err)
137+
iamProviderMock := &iam.MockAccessManagement{}
138+
for funcName, returnVals := range test.mocksReturnVals {
139+
iamProviderMock.On(funcName, context.TODO()).Return(returnVals...)
140+
}
106141

107-
eksFetcher := IAMFetcher{
142+
iamFetcher := IAMFetcher{
108143
log: s.log,
109-
iamProvider: iamProvider,
144+
iamProvider: iamProviderMock,
110145
cfg: iamCfg,
111146
resourceCh: s.resourceCh,
112147
cloudIdentity: &awslib.Identity{
@@ -116,12 +151,10 @@ func (s *IamFetcherTestSuite) TestIamFetcherFetch() {
116151

117152
ctx := context.Background()
118153

119-
err := eksFetcher.Fetch(ctx, fetching.CycleMetadata{})
120-
results := testhelper.CollectResources(s.resourceCh)
154+
err := iamFetcher.Fetch(ctx, fetching.CycleMetadata{})
155+
s.NoError(err)
121156

122-
s.Equal(len(results), test.numExpectedResults)
123-
if test.mockReturnVal.err == nil {
124-
s.NoError(err)
125-
}
157+
results := testhelper.CollectResources(s.resourceCh)
158+
s.Equal(test.numExpectedResults, len(results))
126159
}
127160
}

resources/fetching/fetcher.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,7 @@ const (
3030
EcrType = "aws-ecr"
3131
IAMType = "aws-iam"
3232
ElbType = "aws-elb"
33+
IAMUserType = "aws-iam-user"
3334
PwdPolicyType = "aws-password-policy"
3435
EksType = "aws-eks"
3536

0 commit comments

Comments
 (0)