Skip to content

Commit

Permalink
Merge pull request aquasecurity#1688 from aquasecurity/bundles/sync_0…
Browse files Browse the repository at this point in the history 
…8_11

Bundles/sync 08 11
  • Loading branch information
@AkhtarAmir
AkhtarAmir authored Aug 11, 2023
2 parents c3170c1 + 5f58b3f commit 85e1351
Show file tree
Hide file tree
Showing 7 changed files with 136 additions and 64 deletions.
16 changes: 14 additions & 2 deletions collectors/aws/iam/getRolePolicy.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,7 @@ module.exports = function(AWSConfig, collection, retries, callback) {
return cb();
}

if (role.RoleName && collection.iam &&
collection.iam.listAttachedRolePolicies &&
if (collection.iam.listAttachedRolePolicies &&
collection.iam.listAttachedRolePolicies[AWSConfig.region] &&
collection.iam.listAttachedRolePolicies[AWSConfig.region][role.RoleName] &&
collection.iam.listAttachedRolePolicies[AWSConfig.region][role.RoleName].data &&
Expand All @@ -33,6 +32,19 @@ module.exports = function(AWSConfig, collection, retries, callback) {
role.attachedPolicies = [];
}

if (collection.iam.getRole &&
collection.iam.getRole[AWSConfig.region] &&
collection.iam.getRole[AWSConfig.region][role.RoleName] &&
collection.iam.getRole[AWSConfig.region][role.RoleName].data &&
collection.iam.getRole[AWSConfig.region][role.RoleName].data.Role &&
Object.keys(collection.iam.getRole[AWSConfig.region][role.RoleName].data.Role).length) {
role.tags = collection.iam.getRole[AWSConfig.region][role.RoleName].data.Role.Tags;
role.lastUsed = collection.iam.getRole[AWSConfig.region][role.RoleName].data.Role.RoleLastUsed;
} else {
role.tags = [];
role.lastUsed = [];
}

collection.iam.getRolePolicy[AWSConfig.region][role.RoleName] = {};
role.inlinePolicies = [];

Expand Down
14 changes: 12 additions & 2 deletions collectors/aws/iam/getUserPolicy.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,7 @@ module.exports = function(AWSConfig, collection, retries, callback) {
return cb();
}

if (user.UserName && collection.iam &&
collection.iam.listAttachedUserPolicies &&
if (collection.iam.listAttachedUserPolicies &&
collection.iam.listAttachedUserPolicies[AWSConfig.region] &&
collection.iam.listAttachedUserPolicies[AWSConfig.region][user.UserName] &&
collection.iam.listAttachedUserPolicies[AWSConfig.region][user.UserName].data &&
Expand All @@ -33,6 +32,17 @@ module.exports = function(AWSConfig, collection, retries, callback) {
user.attachedPolicies = [];
}

if (collection.iam.getUser &&
collection.iam.getUser[AWSConfig.region] &&
collection.iam.getUser[AWSConfig.region][user.UserName] &&
collection.iam.getUser[AWSConfig.region][user.UserName].data &&
collection.iam.getUser[AWSConfig.region][user.UserName].data.User &&
Object.keys(collection.iam.getUser[AWSConfig.region][user.UserName].data.User).length) {
user.tags = collection.iam.getUser[AWSConfig.region][user.UserName].data.User.Tags;
} else {
user.tags = [];
}

collection.iam.getUserPolicy[AWSConfig.region][user.UserName] = {};
user.inlinePolicies = [];

Expand Down
28 changes: 28 additions & 0 deletions collectors/google/iam/list.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,24 @@ module.exports = function(GoogleConfig, collection, settings, regions, call, ser

let memberObj = {};

let groups = {};

if (collection['memberships'] &&
collection['memberships']['list'] &&
collection['memberships']['list']['global'] &&
collection['memberships']['list']['global']['data'] &&
collection['memberships']['list']['global']['data'].length) {
collection['memberships']['list']['global']['data'].forEach(membership => {
let user_email = membership.preferredMemberKey ? membership.preferredMemberKey.id: '';
let group_name = membership.parent ? membership.parent.displayName : '';
if (!groups[group_name]) groups[group_name] = [];

groups[group_name].push({
email: user_email,
roles: membership.roles
});
});
}
if (collection['projects'] &&
collection['projects']['getIamPolicy'] &&
collection['projects']['getIamPolicy']['global'] &&
Expand All @@ -41,6 +59,16 @@ module.exports = function(GoogleConfig, collection, settings, regions, call, ser
email: accountName,
type: memberType
};

if (memberType === 'groups') {
let groupName = accountName.split('@')[0];
if (groups[groupName]) {
memberObj[resource].users = groups[groupName];
} else {
memberObj[resource].users = [];
}
}

let roleObj = {role: role};
if (condition) roleObj.condition = condition;
memberObj[resource].roles.push(roleObj);
Expand Down
63 changes: 21 additions & 42 deletions helpers/aws/api.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -269,30 +269,6 @@ var serviceMap = {
BridgeCall: 'listAnalyzers', BridgeArnIdentifier: 'arn', BridgeIdTemplate: '',
BridgeResourceType: 'analyzer', BridgeResourceNameIdentifier: 'name',
BridgeExecutionService: 'IAM', BridgeCollectionService: 'accessanalyzer', DataIdentifier: 'data',
},
{
enabled: true, isSingleSource: true, isIdentity: true, InvAsset: 'instance', InvService: 'iam',
InvResourceCategory: 'identity', InvResourceType: 'iam_user',
BridgeServiceName: 'iam', BridgePluginCategoryName: 'IAM', BridgeProvider: 'aws',
BridgeCall: 'listUsers', BridgeArnIdentifier: 'Arn', BridgeIdTemplate: '',
BridgeResourceType: 'user', BridgeResourceNameIdentifier: 'UserName', sendLast: true,
BridgeExecutionService: 'IAM', BridgeCollectionService: 'iam', DataIdentifier: 'data',
},
{
enabled: true, isSingleSource: true, isIdentity: true, InvAsset: 'instance', InvService: 'iam',
InvResourceCategory: 'identity', InvResourceType: 'iam_group',
BridgeServiceName: 'iam', BridgePluginCategoryName: 'IAM', BridgeProvider: 'aws',
BridgeCall: 'listGroups', BridgeArnIdentifier: 'Arn', BridgeIdTemplate: '',
BridgeResourceType: 'group', BridgeResourceNameIdentifier: 'GroupName', sendLast: true,
BridgeExecutionService: 'IAM', BridgeCollectionService: 'iam', DataIdentifier: 'data',
},
{
enabled: true, isSingleSource: true, isIdentity: true, InvAsset: 'instance', InvService: 'iam',
InvResourceCategory: 'identity', InvResourceType: 'iam_role',
BridgeServiceName: 'iam', BridgePluginCategoryName: 'IAM', BridgeProvider: 'aws',
BridgeCall: 'listRoles', BridgeArnIdentifier: 'Arn', BridgeIdTemplate: '',
BridgeResourceType: 'role', BridgeResourceNameIdentifier: 'RoleName', sendLast: true,
BridgeExecutionService: 'IAM', BridgeCollectionService: 'iam', DataIdentifier: 'data',
}
],
'EMR':
Expand Down Expand Up @@ -1268,7 +1244,7 @@ var calls = {
},
listUsers: {
property: 'Users',
paginate: 'Marker'
paginate: 'Marker',
},
listRoles: {
property: 'Roles',
Expand Down Expand Up @@ -2821,21 +2797,6 @@ var postcalls = [
}
},
IAM: {
getUserPolicy: {
reliesOnService: 'iam',
reliesOnCall: 'listUsers',
override: true
},
getGroupPolicy: {
reliesOnService: 'iam',
reliesOnCall: 'listGroups',
override: true
},
getRolePolicy: {
reliesOnService: 'iam',
reliesOnCall: 'listRoles',
override: true
},
getPolicy: {
reliesOnService: 'iam',
reliesOnCall: 'listPolicies',
Expand All @@ -2854,7 +2815,10 @@ var postcalls = [
filterKey: 'UserName',
filterValue: 'UserName'
},
sendIntegration: [serviceMap['IAM'][1], serviceMap['IAM'][2],serviceMap['IAM'][3]]
sendIntegration: {
enabled: true,
sendLast: true
}
},
EKS:{
describeNodegroups: {
Expand Down Expand Up @@ -2922,7 +2886,22 @@ var postcalls = [
reliesOnService: 'iam',
reliesOnCall: 'listPolicies',
override: true
}
},
getUserPolicy: {
reliesOnService: 'iam',
reliesOnCall: 'listUsers',
override: true
},
getGroupPolicy: {
reliesOnService: 'iam',
reliesOnCall: 'listGroups',
override: true
},
getRolePolicy: {
reliesOnService: 'iam',
reliesOnCall: 'listRoles',
override: true
},
},
ECS: {
describeTasks: {
Expand Down
74 changes: 57 additions & 17 deletions helpers/google/api.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -164,15 +164,6 @@ var serviceMap = {
BridgeResourceNameIdentifier: 'name', BridgeExecutionService: 'gcp-Spanner',
BridgeCollectionService: 'gcp-spanner', DataIdentifier: 'data',
},
'IAM':
{
enabled: true, isSingleSource: true, isIdentity: true, InvAsset: 'Instance', InvService: 'iam',
InvResourceCategory: 'identity', InvResourceType: 'iam_user', BridgeServiceName: 'iam',
BridgePluginCategoryName: 'gcp-IAM', BridgeProvider: 'Google', BridgeCall: 'list',
BridgeArnIdentifier: '', BridgeIdTemplate: '', BridgeResourceType: 'user',
BridgeResourceNameIdentifier: 'email', BridgeExecutionService: 'gcp-IAM',
BridgeCollectionService: 'gcp-iam', DataIdentifier: 'data',
},
'SQL':
{
enabled: true, isSingleSource: true, InvAsset: 'sql', InvService: 'sql',
Expand Down Expand Up @@ -584,8 +575,14 @@ var calls = {
location: null,
pagination: true,
paginationKey: 'nextPageToken'
},
predefined_list: {
url: 'https://iam.googleapis.com/v1/roles',
location: null,
pagination: true,
paginationKey: 'nextPageToken'
}
}
},
};

var postcalls = {
Expand All @@ -596,11 +593,17 @@ var postcalls = {
reliesOnService: ['roles'],
reliesOnCall: ['list'],
properties: ['name'],
pagination: false,
sendIntegration: {
enabled: true
}
}
pagination: false
},
predefined_get: {
url: 'https://iam.googleapis.com/v1/{name}',
location: null,
reliesOnService: ['roles'],
reliesOnCall: ['predefined_list'],
properties: ['name'],
pagination: false
},

},
instances: {
getIamPolicy: {
Expand Down Expand Up @@ -792,7 +795,18 @@ var postcalls = {
paginationKey: 'pageSize',
reqParams: 'filter=state:ENABLED'
}
}
},
groups: {
list: {
url: 'https://cloudidentity.googleapis.com/v1/groups?parent=customers/{directoryCustomerId}',
location: null,
reliesOnService: ['organizations'],
reliesOnCall: ['list'],
properties: ['directoryCustomerId'],
subObj: 'owner',
pagination: false
}
},
};

var tertiarycalls = {
Expand All @@ -816,6 +830,27 @@ var tertiarycalls = {
pagination: true,
maxLimit: 50000
}
},
groups: {
get: {
url: 'https://cloudidentity.googleapis.com/v1/{name}',
location: null,
reliesOnService: ['groups'],
reliesOnCall: ['list'],
properties: ['name'],
pagination: false
}
},
memberships: {
list: {
url: 'https://cloudidentity.googleapis.com/v1/{name}/memberships',
location: null,
reliesOnService: ['groups'],
reliesOnCall: ['list'],
properties: ['name'],
pagination: true,
paginationKey: 'nextPageToken'
}
}
};

Expand All @@ -826,7 +861,12 @@ var specialcalls = {
reliesOnService: ['projects'],
reliesOnCall: ['getIamPolicy']
},
sendIntegration: serviceMap['IAM']
sendIntegration: {
integrationReliesOn: {
serviceName: ['roles']
},
enabled: true
}
}
};

Expand Down
3 changes: 3 additions & 0 deletions helpers/google/regions.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,9 @@ module.exports = {
subscriptions: ['global'],
jobs: regions,
organizations: ['global'],
groups: ['global'],
memberships: ['global'],
iam: ['global'],
deployments: ['global'],
urlMaps: ['global'],
apiKeys: ['global'],
Expand Down
2 changes: 1 addition & 1 deletion plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ var helpers = require('../../../helpers/azure');
module.exports = {
title: 'Front Door Minimum TLS Version',
category: 'Front Door',
domain: 'CDN Profiles',
domain: 'Content Delivery',
description: 'Ensures that Azure Front Door Standard and Premium profile custom domains have minimum TLS version of 1.2.',
more_info: 'By setting the minimum TLS version to 1.2, you significantly improve the security of your custom domains. All Azure Front Door profiles created after September 2019 use TLS 1.2 as the default minimum.',
recommended_action: 'Ensure that Azure Front Door Standard and Premium are using minimum TLS version of 1.2.',
Expand Down

0 comments on commit 85e1351

Please sign in to comment.