Skip to content

Commit

Permalink
Merge pull request #30 from CarveSystems/redshift-parameter-group-scan
Browse files Browse the repository at this point in the history 
Redshift parameter group scan
  • Loading branch information
Kenneth Wilke (Carve Systems) authored Jul 30, 2020
2 parents 877d673 + 751bb22 commit 54cd33e
Showing 1 changed file with 88 additions and 1 deletion.
89 changes: 88 additions & 1 deletion scanamabob/scans/redshift.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,5 +60,92 @@ def run(self, context):
return findings


class ParameterGroupScan(Scan):
def __init__(self, name, value, title):
self.name = name
self.value = value
self.title = title

def run(self, context):
findings = []
parameter_group_count = 0
flagged_parameter_group_count = 0
flagged = {}
instances = {}

# Search for parameter groups with the properties we are looking to flag.
for region in context.regions:
redshift = client(context, region_name=region)
for page in redshift.get_paginator('describe_cluster_parameter_groups').paginate():
for parameter_group in page['ParameterGroups']:
parameter_group_count += 1
group_name = parameter_group['ParameterGroupName']
for parameter in redshift.describe_cluster_parameters(ParameterGroupName=group_name)['Parameters']:
if parameter['ParameterName'] == self.name and parameter['ParameterValue'] == self.value:
flagged_parameter_group_count += 1
if region not in flagged:
flagged[region] = []
flagged[region].append({'group_name': group_name,
'parameter_name': self.name,
'parameter_value': self.value,
'in_use': False})

# Next see if those parameter groups are actually used.
severity = 'INFO'
instances = {}
for region in context.regions:
redshift = client(context, region_name=region)
for page in redshift.get_paginator('describe_clusters').paginate():
for cluster in page['Clusters']:
for parameter_group in cluster['ClusterParameterGroups']:
group_name = parameter_group['ParameterGroupName']
for other_group in flagged[region]:
if other_group['group_name'] == group_name:
other_group['in_use'] = True
severity = 'MEDIUM'

# If the default parameter group isn't used, then unflag it.
for region in flagged:
default_group = None
for group in flagged[region]:
if group['group_name'] == 'default.redshift-1.0' and not group['in_use']:
default_group = group
break
if default_group:
flagged_parameter_group_count -= 1
flagged[region].remove(default_group)

if flagged_parameter_group_count:
findings.append(Finding(context.state,
self.title,
severity,
parameter_group_count=parameter_group_count,
flagged_parameter_group_count=flagged_parameter_group_count,
instances=flagged))
return findings


class SSLEnabledScan(ParameterGroupScan):
title = 'Verifying Redshift clusters are using SSL'
permissions = ['']

def __init__(self):
super().__init__('require_ssl',
'false',
'Redshift cluster parameter groups with SSL disabled')


class LoggingEnabledScan(ParameterGroupScan):
title = 'Verifying Redshift clusters are using activity logging'
permissions = ['']

def __init__(self):
super().__init__('enable_user_activity_logging',
'false',
'Redshift cluster parameter groups with activity logging disabled')


scans = ScanSuite('Redshift Scans',
{'public': PubliclyAccessibleScan()})
{'public': PubliclyAccessibleScan(),
'logging': LoggingEnabledScan(),
'ssl': SSLEnabledScan()})

0 comments on commit 54cd33e

Please sign in to comment.