From 4813b79856d1b9e15059fa17c5a0feead3eaf0b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fernando=20Gon=C3=A7alves?= Date: Thu, 21 Nov 2024 11:14:47 +0100 Subject: [PATCH] fix: Matching logic for product_name and title (#23) * fix: Matching logic for product_name and title * chore: updates fixture names --- .../awsfindingsmanagerlib.py | 18 +- tests/README | 10 + tests/fixtures/batch_update_findings.json | 19 - ...on => expected_batch_update_findings.json} | 31 +- ...es.json => expected_matched_findings.json} | 689 +++----- tests/fixtures/findings/api_consolidated.json | 190 --- .../fixtures/findings/full/Inspector/acc.json | 154 -- .../fixtures/findings/full/Inspector/dev.json | 154 -- .../fixtures/findings/full/Inspector/prd.json | 154 -- tests/fixtures/findings/full/S3.14/acc.json | 92 -- tests/fixtures/findings/full/S3.14/dev.json | 93 -- tests/fixtures/findings/full/S3.14/prd.json | 92 -- tests/fixtures/findings/full/S3.20/acc.json | 96 -- tests/fixtures/findings/full/S3.20/dev.json | 97 -- tests/fixtures/findings/full/S3.20/prd.json | 96 -- tests/fixtures/findings/full/S3.8/acc.json | 109 -- tests/fixtures/findings/full/S3.8/dev.json | 110 -- tests/fixtures/findings/full/S3.8/prd.json | 109 -- tests/fixtures/findings/full/S3.9/acc.json | 100 -- tests/fixtures/findings/full/S3.9/dev.json | 101 -- tests/fixtures/findings/full/S3.9/prd.json | 100 -- tests/fixtures/findings/gui_legacy.json | 134 -- tests/fixtures/matching_findings.json | 1385 +++++++++++++++++ tests/fixtures/non_matching_findings.json | 433 ++++++ .../{suppressions/full.yaml => rules.yaml} | 4 + .../empty.yaml => rules_empty.yaml} | 0 tests/fixtures/suppressions/legacy.yaml | 6 - tests/fixtures/suppressions/multiple.yaml | 12 - tests/fixtures/suppressions/single.yaml | 6 - tests/test_suppressions.py | 132 +- tests/utils.py | 41 +- 31 files changed, 2186 insertions(+), 2581 deletions(-) delete mode 100644 tests/fixtures/batch_update_findings.json rename tests/fixtures/{batch_update_findings_full.json => expected_batch_update_findings.json} (86%) rename tests/fixtures/{matches.json => expected_matched_findings.json} (60%) delete mode 100644 tests/fixtures/findings/api_consolidated.json delete mode 100644 tests/fixtures/findings/full/Inspector/acc.json delete mode 100644 tests/fixtures/findings/full/Inspector/dev.json delete mode 100644 tests/fixtures/findings/full/Inspector/prd.json delete mode 100644 tests/fixtures/findings/full/S3.14/acc.json delete mode 100644 tests/fixtures/findings/full/S3.14/dev.json delete mode 100644 tests/fixtures/findings/full/S3.14/prd.json delete mode 100644 tests/fixtures/findings/full/S3.20/acc.json delete mode 100644 tests/fixtures/findings/full/S3.20/dev.json delete mode 100644 tests/fixtures/findings/full/S3.20/prd.json delete mode 100644 tests/fixtures/findings/full/S3.8/acc.json delete mode 100644 tests/fixtures/findings/full/S3.8/dev.json delete mode 100644 tests/fixtures/findings/full/S3.8/prd.json delete mode 100644 tests/fixtures/findings/full/S3.9/acc.json delete mode 100644 tests/fixtures/findings/full/S3.9/dev.json delete mode 100644 tests/fixtures/findings/full/S3.9/prd.json delete mode 100644 tests/fixtures/findings/gui_legacy.json create mode 100644 tests/fixtures/matching_findings.json create mode 100644 tests/fixtures/non_matching_findings.json rename tests/fixtures/{suppressions/full.yaml => rules.yaml} (84%) rename tests/fixtures/{suppressions/empty.yaml => rules_empty.yaml} (100%) delete mode 100644 tests/fixtures/suppressions/legacy.yaml delete mode 100644 tests/fixtures/suppressions/multiple.yaml delete mode 100644 tests/fixtures/suppressions/single.yaml diff --git a/awsfindingsmanagerlib/awsfindingsmanagerlib.py b/awsfindingsmanagerlib/awsfindingsmanagerlib.py index cc99b52..ab5fe01 100755 --- a/awsfindingsmanagerlib/awsfindingsmanagerlib.py +++ b/awsfindingsmanagerlib/awsfindingsmanagerlib.py @@ -338,9 +338,9 @@ def match_if_set(left, right): def is_matching_rule(self, rule: Rule) -> bool: """Checks a rule for a match with the finding. - If any of control_id, security_control_id, rule_id or product_name attributes match between the rule and the - finding and the rule does not have any filtering attributes like resource_id_regexps or tags then it is - considered a match. (Big blast radius) only matching on the control or product. + If any of control_id, security_control_id, rule_id or product_name and title attributes match between the + rule and the finding and the rule does not have any filtering attributes like resource_id_regexps or tags + then it is considered a match. (Big blast radius) only matching on the control or product. If the rule has any attributes like resource_id_regexps or tags then a secondary match is searched for any of them with the corresponding finding attributes. If any match is found then the rule is found matching if none @@ -363,14 +363,14 @@ def is_matching_rule(self, rule: Rule) -> bool: rule.security_control_id), self.match_if_set(self.control_id, rule.rule_or_control_id), self.match_if_set(self.rule_id, rule.rule_or_control_id), - self.match_if_set(self.product_name, rule.product_name), + all([ + self.match_if_set(self.product_name, rule.product_name), + self.match_if_set(self.title, rule.title), + ]) ]): self._logger.debug( - f'Matched with rule "{rule.note}" on one of "control_id, security_control_id, product_name"') - if self.match_if_set(self.title, rule.title): - self._logger.debug( - f'Matched with rule "{rule.note}" on title.') - return True + f'Matched with rule "{rule.note}" on one of "control_id, security_control_id" or \ + "product_name" and "title"') if not any([rule.tags, rule.resource_id_regexps]): self._logger.debug( f'Rule "{rule.note}" does not seem to have filters for resources or tags.') diff --git a/tests/README b/tests/README index c97d4cf..6172690 100644 --- a/tests/README +++ b/tests/README @@ -1 +1,11 @@ Please place testing code here. The name should be: test_.py + +## Testing Suppressions + +The tests for suppressions follow these basic principles: + +- The test suppression rules can be found in `fixtures/suppression.yaml`. +- Findings that should be matched against the suppression rules can be found in `fixtures/matching_findings.json`. +- Findings that should NOT be matched with any suppression rule can be found in `fixtures/non_matching_findings.json`. +- The expected match result between findings and rules can be found in `fixtures/expected_matched_findings.json`. +- The expected suppression requests sent to Security Hub can be found in `fixtures/expected_batch_update_findings.json`. diff --git a/tests/fixtures/batch_update_findings.json b/tests/fixtures/batch_update_findings.json deleted file mode 100644 index d3d0ec5..0000000 --- a/tests/fixtures/batch_update_findings.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "FindingIdentifiers": [ - { - "Id": "arn:aws:securityhub:eu-west-1:2345678901:security-control/GuardDuty.1/finding/a32acb1c-8a92-4122-b32a-5b35e71d0a6e", - "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub" - }, - { - "Id": "arn:aws:securityhub:eu-west-1:1234567890:security-control/GuardDuty.1/finding/bbfe351f-dc6b-4ea3-9ece-08934a88798d", - "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub" - } - ], - "Workflow": { - "Status": "SUPPRESSED" - }, - "Note": { - "Text": "Maybe later", - "UpdatedBy": "FindingsManager" - } -} diff --git a/tests/fixtures/batch_update_findings_full.json b/tests/fixtures/expected_batch_update_findings.json similarity index 86% rename from tests/fixtures/batch_update_findings_full.json rename to tests/fixtures/expected_batch_update_findings.json index ef6649a..f68fd96 100644 --- a/tests/fixtures/batch_update_findings_full.json +++ b/tests/fixtures/expected_batch_update_findings.json @@ -2,11 +2,11 @@ { "FindingIdentifiers": [ { - "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.9/finding/180e73dc-a807-4ddd-a36a-14696c85ba9e", + "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.9/finding/71a625e2-1a57-4fee-bc3f-22cf3f9f9e57", "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub" }, { - "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.9/finding/71a625e2-1a57-4fee-bc3f-22cf3f9f9e57", + "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.9/finding/180e73dc-a807-4ddd-a36a-14696c85ba9e", "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub" } ], @@ -40,11 +40,11 @@ { "FindingIdentifiers": [ { - "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.20/finding/45fee04a-22ed-4242-a316-ebaecd5a1b36", + "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.20/finding/2e14352c-2bb5-4dfc-88af-71467172d92f", "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub" }, { - "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.20/finding/2e14352c-2bb5-4dfc-88af-71467172d92f", + "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.20/finding/45fee04a-22ed-4242-a316-ebaecd5a1b36", "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub" }, { @@ -65,14 +65,6 @@ { "Id": "arn:aws:inspector2:eu-west-1:012345678912:finding/ff4ebfb9d83b0ee89c7140b30eed5ef9", "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/inspector" - }, - { - "Id": "arn:aws:inspector2:eu-west-1:012345678912:finding/ioperfb9d83b0ee89c7140b30eed5lf9", - "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/inspector" - }, - { - "Id": "arn:aws:inspector2:eu-west-1:012345678912:finding/m58hv3b9d83b0ee89c7140b30eed55kv", - "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/inspector" } ], "Workflow": { @@ -82,5 +74,20 @@ "Text": "We support Inspector too", "UpdatedBy": "FindingsManager" } + }, + { + "FindingIdentifiers": [ + { + "Id": "arn:aws:securityhub:eu-west-1:222555888333:subscription/aws-foundational-security-best-practices/v/1.0.0/GuardDuty.5/finding/fa64b182-1f5d-4c13-828a-50af12336fd0", + "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub" + } + ], + "Workflow": { + "Status": "SUPPRESSED" + }, + "Note": { + "Text": "We also support legacy format findings", + "UpdatedBy": "FindingsManager" + } } ] diff --git a/tests/fixtures/matches.json b/tests/fixtures/expected_matched_findings.json similarity index 60% rename from tests/fixtures/matches.json rename to tests/fixtures/expected_matched_findings.json index 3c2c33f..b8c0a70 100644 --- a/tests/fixtures/matches.json +++ b/tests/fixtures/expected_matched_findings.json @@ -752,15 +752,15 @@ }, { "matched_rule": { - "note": "We support Inspector too", - "action": "SUPPRESSED", - "match_on": { - "product_name": "Inspector", - "title": "CVE-2021-3737 - python3.10, python3.10-minimal", - "resource_id_regexps": [ - "^arn:aws:ec2:.*:.*:instance/.*$" - ] - } + "note": "We support Inspector too", + "action": "SUPPRESSED", + "match_on": { + "product_name": "Inspector", + "title": "CVE-2021-3737 - python3.10, python3.10-minimal", + "resource_id_regexps": [ + "^arn:aws:ec2:.*:.*:instance/.*$" + ] + } }, "AwsAccountId": "012345678912", "AwsAccountName": "account", @@ -768,13 +768,13 @@ "CreatedAt": "2024-11-11T14:40:00.016Z", "Description": "A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.", "FindingProviderFields": { - "Types": [ - "Software and Configuration Checks/Vulnerabilities/CVE" - ], - "Severity": { - "Normalized": 70, - "Label": "HIGH" - } + "Types": [ + "Software and Configuration Checks/Vulnerabilities/CVE" + ], + "Severity": { + "Normalized": 70, + "Label": "HIGH" + } }, "FirstObservedAt": "2024-11-11T14:40:00.016Z", "GeneratorId": "AWSInspector", @@ -783,466 +783,277 @@ "ProcessedAt": "2024-11-11T14:45:08.567Z", "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/inspector", "ProductFields": { - "aws/inspector/ProductVersion": "2", - "aws/inspector/FindingStatus": "CLOSED", - "aws/inspector/inspectorScore": "7.5", - "aws/inspector/instanceId": "i-01e8db61387e018b4", - "aws/inspector/resources/1/resourceDetails/awsEc2InstanceDetails/platform": "UBUNTU_22_04", - "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/inspector/arn:aws:inspector2:eu-west-1:012345678912:finding/ff4ebfb9d83b0ee89c7140b30eed5ef9", - "aws/securityhub/ProductName": "Inspector", - "aws/securityhub/CompanyName": "Amazon" + "aws/inspector/ProductVersion": "2", + "aws/inspector/FindingStatus": "CLOSED", + "aws/inspector/inspectorScore": "7.5", + "aws/inspector/instanceId": "i-01e8db61387e018b4", + "aws/inspector/resources/1/resourceDetails/awsEc2InstanceDetails/platform": "UBUNTU_22_04", + "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/inspector/arn:aws:inspector2:eu-west-1:012345678912:finding/ff4ebfb9d83b0ee89c7140b30eed5ef9", + "aws/securityhub/ProductName": "Inspector", + "aws/securityhub/CompanyName": "Amazon" }, "ProductName": "Inspector", "RecordState": "ARCHIVED", "Region": "eu-west-1", "Remediation": { - "Recommendation": { - "Text": "Remediation is available. Please refer to the Fixed version in the vulnerability details section above.For detailed remediation guidance for each of the affected packages, refer to the vulnerabilities section of the detailed finding JSON." - } + "Recommendation": { + "Text": "Remediation is available. Please refer to the Fixed version in the vulnerability details section above.For detailed remediation guidance for each of the affected packages, refer to the vulnerabilities section of the detailed finding JSON." + } }, "Resources": [ - { - "Details": { - "AwsEc2Instance": { - "Type": "t3.large", - "VpcId": "vpc-0d165124e6f1211e6", - "ImageId": "ami-030c1a56dd9a0ccd8", - "IpV4Addresses": [ - "192.168.0.74" - ], - "SubnetId": "subnet-062ae210766aa9614", - "LaunchedAt": "2024-11-11T14:38:42.000Z", - "IamInstanceProfileArn": "arn:aws:iam::012345678912:instance-profile/example/example-profile" - } - }, - "Id": "arn:aws:ec2:eu-west-1:012345678912:instance/i-01e8db61387e018b4", - "Partition": "aws", - "Region": "eu-west-1", - "Tags": { - "aws:ec2:fleet-id": "fleet-28b70307-1da4-e616-0cb8-0d20555fe75c", - "ghr:environment": "example", - "aws:ec2launchtemplate:version": "9", - "aws:ec2launchtemplate:id": "lt-0c064043433a6dcfe", - "Name": "example-action-runner" - }, - "Type": "AwsEc2Instance" - } + { + "Details": { + "AwsEc2Instance": { + "Type": "t3.large", + "VpcId": "vpc-0d165124e6f1211e6", + "ImageId": "ami-030c1a56dd9a0ccd8", + "IpV4Addresses": [ + "192.168.0.74" + ], + "SubnetId": "subnet-062ae210766aa9614", + "LaunchedAt": "2024-11-11T14:38:42.000Z", + "IamInstanceProfileArn": "arn:aws:iam::012345678912:instance-profile/example/example-profile" + } + }, + "Id": "arn:aws:ec2:eu-west-1:012345678912:instance/i-01e8db61387e018b4", + "Partition": "aws", + "Region": "eu-west-1", + "Tags": { + "aws:ec2:fleet-id": "fleet-28b70307-1da4-e616-0cb8-0d20555fe75c", + "ghr:environment": "example", + "aws:ec2launchtemplate:version": "9", + "aws:ec2launchtemplate:id": "lt-0c064043433a6dcfe", + "Name": "example-action-runner" + }, + "Type": "AwsEc2Instance" + } ], "SchemaVersion": "2018-10-08", "Severity": { - "Label": "HIGH", - "Normalized": 70 + "Label": "HIGH", + "Normalized": 70 }, "Title": "CVE-2021-3737 - python3.10, python3.10-minimal", "Types": [ - "Software and Configuration Checks/Vulnerabilities/CVE" + "Software and Configuration Checks/Vulnerabilities/CVE" ], "UpdatedAt": "2024-11-11T14:44:51.175Z", "Vulnerabilities": [ - { - "Cvss": [ - { - "BaseScore": 7.5, - "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "Source": "UBUNTU_CVE", - "Version": "3.1" - }, - { - "BaseScore": 7.5, - "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "Source": "NVD", - "Version": "3.1" - }, - { - "BaseScore": 7.5, - "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "Source": "UBUNTU_CVE", - "Version": "3.1" - } - ], - "EpssScore": 0.01559, - "ExploitAvailable": "NO", - "FixAvailable": "YES", - "Id": "CVE-2021-3737", - "ReferenceUrls": [ - "https://ubuntu.com/security/notices/USN-5083-1", - "https://ubuntu.com/security/notices/USN-5201-1", - "https://ubuntu.com/security/notices/USN-5200-1", - "https://ubuntu.com/security/notices/USN-6891-1", - "https://bugs.python.org/issue44022", - "https://www.cve.org/CVERecord?id=CVE-2021-3737", - "https://ubuntu.com/security/notices/USN-5199-1" - ], - "RelatedVulnerabilities": [ - "USN-5200-1", - "USN-5201-1", - "USN-5083-1", - "USN-6891-1", - "USN-5199-1" - ], - "Vendor": { - "VendorCreatedAt": "2022-03-04T19:15:00.000Z", - "VendorSeverity": "medium", - "Url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-3737.html", - "Name": "UBUNTU_CVE" - }, - "VulnerablePackages": [ - { - "Architecture": "X86_64", - "PackageManager": "OS", - "Version": "3.10.6", - "Epoch": "0", - "FixedInVersion": "0:3.10.12-1~22.04.4", - "Remediation": "apt-get update && apt-get upgrade", - "Release": "1~22.04.2ubuntu1.1", - "Name": "python3.10" - }, - { - "Architecture": "X86_64", - "PackageManager": "OS", - "Version": "3.10.6", - "Epoch": "0", - "FixedInVersion": "0:3.10.12-1~22.04.4", - "Remediation": "apt-get update && apt-get upgrade", - "Release": "1~22.04.2ubuntu1.1", - "Name": "python3.10-minimal" - } - ] - } + { + "Cvss": [ + { + "BaseScore": 7.5, + "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Source": "UBUNTU_CVE", + "Version": "3.1" + }, + { + "BaseScore": 7.5, + "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Source": "NVD", + "Version": "3.1" + }, + { + "BaseScore": 7.5, + "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Source": "UBUNTU_CVE", + "Version": "3.1" + } + ], + "EpssScore": 0.01559, + "ExploitAvailable": "NO", + "FixAvailable": "YES", + "Id": "CVE-2021-3737", + "ReferenceUrls": [ + "https://ubuntu.com/security/notices/USN-5083-1", + "https://ubuntu.com/security/notices/USN-5201-1", + "https://ubuntu.com/security/notices/USN-5200-1", + "https://ubuntu.com/security/notices/USN-6891-1", + "https://bugs.python.org/issue44022", + "https://www.cve.org/CVERecord?id=CVE-2021-3737", + "https://ubuntu.com/security/notices/USN-5199-1" + ], + "RelatedVulnerabilities": [ + "USN-5200-1", + "USN-5201-1", + "USN-5083-1", + "USN-6891-1", + "USN-5199-1" + ], + "Vendor": { + "VendorCreatedAt": "2022-03-04T19:15:00.000Z", + "VendorSeverity": "medium", + "Url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-3737.html", + "Name": "UBUNTU_CVE" + }, + "VulnerablePackages": [ + { + "Architecture": "X86_64", + "PackageManager": "OS", + "Version": "3.10.6", + "Epoch": "0", + "FixedInVersion": "0:3.10.12-1~22.04.4", + "Remediation": "apt-get update && apt-get upgrade", + "Release": "1~22.04.2ubuntu1.1", + "Name": "python3.10" + }, + { + "Architecture": "X86_64", + "PackageManager": "OS", + "Version": "3.10.6", + "Epoch": "0", + "FixedInVersion": "0:3.10.12-1~22.04.4", + "Remediation": "apt-get update && apt-get upgrade", + "Release": "1~22.04.2ubuntu1.1", + "Name": "python3.10-minimal" + } + ] + } ], "Workflow": { - "Status": "NEW" + "Status": "NEW" }, "WorkflowState": "NEW" }, { "matched_rule": { - "note": "We support Inspector too", - "action": "SUPPRESSED", - "match_on": { - "product_name": "Inspector", - "title": "CVE-2021-3737 - python3.10, python3.10-minimal", - "resource_id_regexps": [ - "^arn:aws:ec2:.*:.*:instance/.*$" - ] - } - }, - "AwsAccountId": "012345678912", - "AwsAccountName": "account", - "CompanyName": "Amazon", - "CreatedAt": "2024-11-11T14:40:00.016Z", - "Description": "A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.", - "FindingProviderFields": { - "Types": [ - "Software and Configuration Checks/Vulnerabilities/CVE" - ], - "Severity": { - "Normalized": 70, - "Label": "HIGH" - } - }, - "FirstObservedAt": "2024-11-11T14:40:00.016Z", - "GeneratorId": "AWSInspector", - "Id": "arn:aws:inspector2:eu-west-1:012345678912:finding/ioperfb9d83b0ee89c7140b30eed5lf9", - "LastObservedAt": "2024-11-11T14:40:00.016Z", - "ProcessedAt": "2024-11-11T14:45:08.567Z", - "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/inspector", - "ProductFields": { - "aws/inspector/ProductVersion": "2", - "aws/inspector/FindingStatus": "CLOSED", - "aws/inspector/inspectorScore": "7.5", - "aws/inspector/instanceId": "i-01e8db61387e018b4", - "aws/inspector/resources/1/resourceDetails/awsEc2InstanceDetails/platform": "UBUNTU_22_04", - "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/inspector/arn:aws:inspector2:eu-west-1:012345678912:finding/ff4ebfb9d83b0ee89c7140b30eed5ef9", - "aws/securityhub/ProductName": "Inspector", - "aws/securityhub/CompanyName": "Amazon" - }, - "ProductName": "Inspector", - "RecordState": "ARCHIVED", - "Region": "eu-west-1", - "Remediation": { - "Recommendation": { - "Text": "Remediation is available. Please refer to the Fixed version in the vulnerability details section above.For detailed remediation guidance for each of the affected packages, refer to the vulnerabilities section of the detailed finding JSON." - } + "note": "We also support legacy format findings", + "action": "SUPPRESSED", + "match_on": { + "rule_or_control_id": "GuardDuty.5" + } }, - "Resources": [ - { - "Details": { - "AwsEc2Instance": { - "Type": "t3.large", - "VpcId": "vpc-0d165124e6f1211e6", - "ImageId": "ami-030c1a56dd9a0ccd8", - "IpV4Addresses": [ - "192.168.0.74" - ], - "SubnetId": "subnet-062ae210766aa9614", - "LaunchedAt": "2024-11-11T14:38:42.000Z", - "IamInstanceProfileArn": "arn:aws:iam::012345678912:instance-profile/example/example-profile" - } - }, - "Id": "arn:aws:ec2:eu-west-1:012345678912:instance/i-01e8db61387e018b4", - "Partition": "aws", - "Region": "eu-west-1", - "Tags": { - "aws:ec2:fleet-id": "fleet-28b70307-1da4-e616-0cb8-0d20555fe75c", - "ghr:environment": "example", - "aws:ec2launchtemplate:version": "9", - "aws:ec2launchtemplate:id": "lt-0c064043433a6dcfe", - "Name": "example-action-runner" - }, - "Type": "AwsEc2Instance" - } - ], "SchemaVersion": "2018-10-08", - "Severity": { - "Label": "HIGH", - "Normalized": 70 - }, - "Title": "CVE-2021-3737 - python3.10, python3.10-minimal", + "Id": "arn:aws:securityhub:eu-west-1:222555888333:subscription/aws-foundational-security-best-practices/v/1.0.0/GuardDuty.5/finding/fa64b182-1f5d-4c13-828a-50af12336fd0", + "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub", + "ProductName": "Security Hub", + "CompanyName": "AWS", + "Region": "eu-west-1", + "GeneratorId": "aws-foundational-security-best-practices/v/1.0.0/GuardDuty.5", + "AwsAccountId": "222555888333", "Types": [ - "Software and Configuration Checks/Vulnerabilities/CVE" - ], - "UpdatedAt": "2024-11-11T14:44:51.175Z", - "Vulnerabilities": [ - { - "Cvss": [ - { - "BaseScore": 7.5, - "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "Source": "UBUNTU_CVE", - "Version": "3.1" - }, - { - "BaseScore": 7.5, - "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "Source": "NVD", - "Version": "3.1" - }, - { - "BaseScore": 7.5, - "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "Source": "UBUNTU_CVE", - "Version": "3.1" - } - ], - "EpssScore": 0.01559, - "ExploitAvailable": "NO", - "FixAvailable": "YES", - "Id": "CVE-2021-3737", - "ReferenceUrls": [ - "https://ubuntu.com/security/notices/USN-5083-1", - "https://ubuntu.com/security/notices/USN-5201-1", - "https://ubuntu.com/security/notices/USN-5200-1", - "https://ubuntu.com/security/notices/USN-6891-1", - "https://bugs.python.org/issue44022", - "https://www.cve.org/CVERecord?id=CVE-2021-3737", - "https://ubuntu.com/security/notices/USN-5199-1" - ], - "RelatedVulnerabilities": [ - "USN-5200-1", - "USN-5201-1", - "USN-5083-1", - "USN-6891-1", - "USN-5199-1" - ], - "Vendor": { - "VendorCreatedAt": "2022-03-04T19:15:00.000Z", - "VendorSeverity": "medium", - "Url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-3737.html", - "Name": "UBUNTU_CVE" - }, - "VulnerablePackages": [ - { - "Architecture": "X86_64", - "PackageManager": "OS", - "Version": "3.10.6", - "Epoch": "0", - "FixedInVersion": "0:3.10.12-1~22.04.4", - "Remediation": "apt-get update && apt-get upgrade", - "Release": "1~22.04.2ubuntu1.1", - "Name": "python3.10" - }, - { - "Architecture": "X86_64", - "PackageManager": "OS", - "Version": "3.10.6", - "Epoch": "0", - "FixedInVersion": "0:3.10.12-1~22.04.4", - "Remediation": "apt-get update && apt-get upgrade", - "Release": "1~22.04.2ubuntu1.1", - "Name": "python3.10-minimal" - } - ] - } + "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices" ], - "Workflow": { - "Status": "NEW" - }, - "WorkflowState": "NEW" - }, - { - "matched_rule": { - "note": "We support Inspector too", - "action": "SUPPRESSED", - "match_on": { - "product_name": "Inspector", - "title": "CVE-2021-3737 - python3.10, python3.10-minimal", - "resource_id_regexps": [ - "^arn:aws:ec2:.*:.*:instance/.*$" - ] - } + "FirstObservedAt": "2024-07-13T00:32:44.734Z", + "LastObservedAt": "2024-07-17T12:36:15.611Z", + "CreatedAt": "2024-07-13T00:32:44.734Z", + "UpdatedAt": "2024-07-17T12:35:59.820Z", + "Severity": { + "Product": 70, + "Label": "HIGH", + "Normalized": 70, + "Original": "HIGH" }, - "AwsAccountId": "012345678912", - "AwsAccountName": "account", - "CompanyName": "Amazon", - "CreatedAt": "2024-11-11T14:40:00.016Z", - "Description": "A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.", - "FindingProviderFields": { - "Types": [ - "Software and Configuration Checks/Vulnerabilities/CVE" - ], - "Severity": { - "Normalized": 70, - "Label": "HIGH" - } + "Title": "GuardDuty.5 GuardDuty EKS Audit Log Monitoring should be enabled", + "Description": "This control checks whether GuardDuty EKS Audit Log Monitoring is enabled. The control fails if GuardDuty EKS Audit Log Monitoring isn't enabled.", + "Remediation": { + "Recommendation": { + "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "Url": "https://docs.aws.amazon.com/console/securityhub/GuardDuty.5/remediation" + } }, - "FirstObservedAt": "2024-11-11T14:40:00.016Z", - "GeneratorId": "AWSInspector", - "Id": "arn:aws:inspector2:eu-west-1:012345678912:finding/m58hv3b9d83b0ee89c7140b30eed55kv", - "LastObservedAt": "2024-11-11T14:40:00.016Z", - "ProcessedAt": "2024-11-11T14:45:08.567Z", - "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/inspector", "ProductFields": { - "aws/inspector/ProductVersion": "2", - "aws/inspector/FindingStatus": "CLOSED", - "aws/inspector/inspectorScore": "7.5", - "aws/inspector/instanceId": "i-01e8db61387e018b4", - "aws/inspector/resources/1/resourceDetails/awsEc2InstanceDetails/platform": "UBUNTU_22_04", - "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/inspector/arn:aws:inspector2:eu-west-1:012345678912:finding/ff4ebfb9d83b0ee89c7140b30eed5ef9", - "aws/securityhub/ProductName": "Inspector", - "aws/securityhub/CompanyName": "Amazon" - }, - "ProductName": "Inspector", - "RecordState": "ARCHIVED", - "Region": "eu-west-1", - "Remediation": { - "Recommendation": { - "Text": "Remediation is available. Please refer to the Fixed version in the vulnerability details section above.For detailed remediation guidance for each of the affected packages, refer to the vulnerabilities section of the detailed finding JSON." - } + "StandardsArn": "arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0", + "StandardsSubscriptionArn": "arn:aws:securityhub:eu-west-1:222555888333:subscription/aws-foundational-security-best-practices/v/1.0.0", + "ControlId": "GuardDuty.5", + "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/GuardDuty.5/remediation", + "RelatedAWSResources:0/name": "securityhub-guardduty-eks-protection-audit-enabled-4ea31c89", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "StandardsControlArn": "arn:aws:securityhub:eu-west-1:222555888333:control/aws-foundational-security-best-practices/v/1.0.0/GuardDuty.5", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/CompanyName": "AWS", + "Resources:0/Id": "arn:aws:guardduty:eu-west-1:222555888333:detector/c350ca4fd7594d5fbda1f71ac6332dc8", + "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/securityhub/arn:aws:securityhub:eu-west-1:222555888333:subscription/aws-foundational-security-best-practices/v/1.0.0/GuardDuty.5/finding/fa64b182-1f5d-4c13-828a-50af12336fd0" }, "Resources": [ - { - "Details": { - "AwsEc2Instance": { - "Type": "t3.large", - "VpcId": "vpc-0d165124e6f1211e6", - "ImageId": "ami-030c1a56dd9a0ccd8", - "IpV4Addresses": [ - "192.168.0.74" - ], - "SubnetId": "subnet-062ae210766aa9614", - "LaunchedAt": "2024-11-11T14:38:42.000Z", - "IamInstanceProfileArn": "arn:aws:iam::012345678912:instance-profile/example/example-profile" + { + "Type": "AwsGuardDutyDetector", + "Id": "arn:aws:guardduty:eu-west-1:222555888333:detector/c350ca4fd7594d5fbda1f71ac6332dc8", + "Partition": "aws", + "Region": "eu-west-1", + "Tags": { + "Environment": "staging", + "Env": "stg", + "Stack": "base" + }, + "Details": { + "AwsGuardDutyDetector": { + "DataSources": { + "Kubernetes": { + "AuditLogs": { + "Status": "DISABLED" } + }, + "S3Logs": { + "Status": "ENABLED" + } }, - "Id": "arn:aws:ec2:eu-west-1:012345678912:instance/i-01e8db61387e018b4", - "Partition": "aws", - "Region": "eu-west-1", - "Tags": { - "aws:ec2:fleet-id": "fleet-28b70307-1da4-e616-0cb8-0d20555fe75c", - "ghr:environment": "example", - "aws:ec2launchtemplate:version": "9", - "aws:ec2launchtemplate:id": "lt-0c064043433a6dcfe", - "Name": "example-action-runner" - }, - "Type": "AwsEc2Instance" - } - ], - "SchemaVersion": "2018-10-08", - "Severity": { - "Label": "HIGH", - "Normalized": 70 - }, - "Title": "CVE-2021-3737 - python3.10, python3.10-minimal", - "Types": [ - "Software and Configuration Checks/Vulnerabilities/CVE" - ], - "UpdatedAt": "2024-11-11T14:44:51.175Z", - "Vulnerabilities": [ - { - "Cvss": [ - { - "BaseScore": 7.5, - "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "Source": "UBUNTU_CVE", - "Version": "3.1" - }, - { - "BaseScore": 7.5, - "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "Source": "NVD", - "Version": "3.1" - }, - { - "BaseScore": 7.5, - "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "Source": "UBUNTU_CVE", - "Version": "3.1" - } - ], - "EpssScore": 0.01559, - "ExploitAvailable": "NO", - "FixAvailable": "YES", - "Id": "CVE-2021-3737", - "ReferenceUrls": [ - "https://ubuntu.com/security/notices/USN-5083-1", - "https://ubuntu.com/security/notices/USN-5201-1", - "https://ubuntu.com/security/notices/USN-5200-1", - "https://ubuntu.com/security/notices/USN-6891-1", - "https://bugs.python.org/issue44022", - "https://www.cve.org/CVERecord?id=CVE-2021-3737", - "https://ubuntu.com/security/notices/USN-5199-1" - ], - "RelatedVulnerabilities": [ - "USN-5200-1", - "USN-5201-1", - "USN-5083-1", - "USN-6891-1", - "USN-5199-1" + "Features": [ + { + "Name": "CLOUD_TRAIL", + "Status": "ENABLED" + }, + { + "Name": "DNS_LOGS", + "Status": "ENABLED" + }, + { + "Name": "FLOW_LOGS", + "Status": "ENABLED" + }, + { + "Name": "S3_DATA_EVENTS", + "Status": "ENABLED" + }, + { + "Name": "EKS_AUDIT_LOGS", + "Status": "DISABLED" + }, + { + "Name": "EBS_MALWARE_PROTECTION", + "Status": "ENABLED" + }, + { + "Name": "RDS_LOGIN_EVENTS", + "Status": "ENABLED" + }, + { + "Name": "EKS_RUNTIME_MONITORING", + "Status": "DISABLED" + }, + { + "Name": "LAMBDA_NETWORK_LOGS", + "Status": "ENABLED" + }, + { + "Name": "RUNTIME_MONITORING", + "Status": "ENABLED" + } ], - "Vendor": { - "VendorCreatedAt": "2022-03-04T19:15:00.000Z", - "VendorSeverity": "medium", - "Url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-3737.html", - "Name": "UBUNTU_CVE" - }, - "VulnerablePackages": [ - { - "Architecture": "X86_64", - "PackageManager": "OS", - "Version": "3.10.6", - "Epoch": "0", - "FixedInVersion": "0:3.10.12-1~22.04.4", - "Remediation": "apt-get update && apt-get upgrade", - "Release": "1~22.04.2ubuntu1.1", - "Name": "python3.10" - }, - { - "Architecture": "X86_64", - "PackageManager": "OS", - "Version": "3.10.6", - "Epoch": "0", - "FixedInVersion": "0:3.10.12-1~22.04.4", - "Remediation": "apt-get update && apt-get upgrade", - "Release": "1~22.04.2ubuntu1.1", - "Name": "python3.10-minimal" - } - ] + "FindingPublishingFrequency": "FIFTEEN_MINUTES", + "Status": "ENABLED" + } } + } ], + "Compliance": { + "Status": "FAILED" + }, + "WorkflowState": "NEW", "Workflow": { - "Status": "NEW" + "Status": "NEW" }, - "WorkflowState": "NEW" + "RecordState": "ACTIVE", + "FindingProviderFields": { + "Severity": { + "Label": "HIGH", + "Original": "HIGH" + }, + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices" + ] + }, + "ProcessedAt": "2024-07-17T12:36:18.763Z", + "AwsAccountName": "base-client" } -] \ No newline at end of file +] diff --git a/tests/fixtures/findings/api_consolidated.json b/tests/fixtures/findings/api_consolidated.json deleted file mode 100644 index 31e753f..0000000 --- a/tests/fixtures/findings/api_consolidated.json +++ /dev/null @@ -1,190 +0,0 @@ -{ - "ResponseMetadata": { - "RequestId": "a6dd7122-1490-4d3b-84d7-489e6005f07e", - "HTTPStatusCode": 200, - "HTTPHeaders": { - "date": "Mon, 24 Jun 2024 14:07:21 GMT", - "content-type": "application/json", - "content-length": "4799", - "connection": "keep-alive", - "x-amzn-requestid": "a6dd7122-1490-4d3b-84d7-489e6005f07e", - "access-control-allow-origin": "*", - "access-control-allow-headers": "Authorization,Date,X-Amz-Date,X-Amz-Security-Token,X-Amz-Target,content-type,x-amz-content-sha256,x-amz-user-agent,x-amzn-platform-id,x-amzn-trace-id", - "x-amz-apigw-id": "Z4CP9FJXDoAAABg=", - "cache-control": "no-cache", - "access-control-allow-methods": "GET,POST,OPTIONS,PUT,PATCH,DELETE", - "access-control-expose-headers": "x-amzn-errortype,x-amzn-requestid,x-amzn-errormessage,x-amzn-trace-id,x-amz-apigw-id,date", - "x-amzn-trace-id": "Root=1-66797d99-1400daac266a556d768b6360", - "access-control-max-age": "86400" - }, - "RetryAttempts": 0 - }, - "Findings": [ - { - "SchemaVersion": "2018-10-08", - "Id": "arn:aws:securityhub:eu-west-1:1234567890:security-control/GuardDuty.1/finding/bbfe351f-dc6b-4ea3-9ece-08934a88798d", - "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub", - "ProductName": "Security Hub", - "CompanyName": "AWS", - "Region": "eu-west-1", - "GeneratorId": "security-control/GuardDuty.1", - "AwsAccountId": "1234567890", - "Types": [ - "Software and Configuration Checks/Industry and Regulatory Standards" - ], - "FirstObservedAt": "2023-11-21T08:22:16.054Z", - "LastObservedAt": "2024-06-24T09:00:51.562Z", - "CreatedAt": "2023-11-21T08:22:16.054Z", - "UpdatedAt": "2024-06-24T09:00:45.686Z", - "Severity": { - "Label": "HIGH", - "Normalized": 70, - "Original": "HIGH" - }, - "Title": "GuardDuty should be enabled", - "Description": "This AWS control checks whether Amazon GuardDuty is enabled in your AWS account and region.", - "Remediation": { - "Recommendation": { - "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", - "Url": "https://docs.aws.amazon.com/console/securityhub/GuardDuty.1/remediation" - } - }, - "ProductFields": { - "RelatedAWSResources:0/name": "securityhub-guardduty-enabled-centralized-c07f55ef", - "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", - "aws/securityhub/ProductName": "Security Hub", - "aws/securityhub/CompanyName": "AWS", - "aws/securityhub/annotation": "Amazon GuardDuty is not configured.", - "Resources:0/Id": "arn:aws:iam::1234567890:root", - "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/securityhub/arn:aws:securityhub:eu-west-1:1234567890:security-control/GuardDuty.1/finding/bbfe351f-dc6b-4ea3-9ece-08934a88798d" - }, - "Resources": [ - { - "Type": "AwsAccount", - "Id": "AWS::::Account:1234567890", - "Partition": "aws", - "Region": "eu-west-1" - } - ], - "Compliance": { - "Status": "FAILED", - "RelatedRequirements": [ - "PCI DSS v3.2.1/11.4" - ], - "SecurityControlId": "GuardDuty.1", - "AssociatedStandards": [ - { - "StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0" - }, - { - "StandardsId": "standards/pci-dss/v/3.2.1" - } - ] - }, - "WorkflowState": "NEW", - "Workflow": { - "Status": "SUPPRESSED" - }, - "RecordState": "ACTIVE", - "Note": { - "Text": "Maybe later", - "UpdatedBy": "FindingsManager", - "UpdatedAt": "2024-06-24T12:45:06.677Z" - }, - "FindingProviderFields": { - "Severity": { - "Label": "HIGH", - "Original": "HIGH" - }, - "Types": [ - "Software and Configuration Checks/Industry and Regulatory Standards" - ] - }, - "ProcessedAt": "2024-06-24T12:45:06.702Z", - "AwsAccountName": "account1" - }, - { - "SchemaVersion": "2018-10-08", - "Id": "arn:aws:securityhub:eu-west-1:2345678901:security-control/GuardDuty.1/finding/a32acb1c-8a92-4122-b32a-5b35e71d0a6e", - "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub", - "ProductName": "Security Hub", - "CompanyName": "AWS", - "Region": "eu-west-1", - "GeneratorId": "security-control/GuardDuty.1", - "AwsAccountId": "2345678901", - "Types": [ - "Software and Configuration Checks/Industry and Regulatory Standards" - ], - "FirstObservedAt": "2023-11-21T08:43:17.051Z", - "LastObservedAt": "2024-06-24T08:27:57.806Z", - "CreatedAt": "2023-11-21T08:43:17.051Z", - "UpdatedAt": "2024-06-24T08:27:43.972Z", - "Severity": { - "Label": "HIGH", - "Normalized": 70, - "Original": "HIGH" - }, - "Title": "GuardDuty should be enabled", - "Description": "This AWS control checks whether Amazon GuardDuty is enabled in your AWS account and region.", - "Remediation": { - "Recommendation": { - "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", - "Url": "https://docs.aws.amazon.com/console/securityhub/GuardDuty.1/remediation" - } - }, - "ProductFields": { - "RelatedAWSResources:0/name": "securityhub-guardduty-enabled-centralized-e9e5d5d1", - "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", - "aws/securityhub/ProductName": "Security Hub", - "aws/securityhub/CompanyName": "AWS", - "aws/securityhub/annotation": "Amazon GuardDuty is not configured.", - "Resources:0/Id": "arn:aws:iam::2345678901:root", - "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/securityhub/arn:aws:securityhub:eu-west-1:2345678901:security-control/GuardDuty.1/finding/a32acb1c-8a92-4122-b32a-5b35e71d0a6e" - }, - "Resources": [ - { - "Type": "AwsAccount", - "Id": "AWS::::Account:2345678901", - "Partition": "aws", - "Region": "eu-west-1" - } - ], - "Compliance": { - "Status": "FAILED", - "RelatedRequirements": [ - "PCI DSS v3.2.1/11.4" - ], - "SecurityControlId": "GuardDuty.1", - "AssociatedStandards": [ - { - "StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0" - }, - { - "StandardsId": "standards/pci-dss/v/3.2.1" - } - ] - }, - "WorkflowState": "NEW", - "Workflow": { - "Status": "SUPPRESSED" - }, - "RecordState": "ACTIVE", - "Note": { - "Text": "Maybe later", - "UpdatedBy": "FindingsManager", - "UpdatedAt": "2024-06-24T12:45:06.677Z" - }, - "FindingProviderFields": { - "Severity": { - "Label": "HIGH", - "Original": "HIGH" - }, - "Types": [ - "Software and Configuration Checks/Industry and Regulatory Standards" - ] - }, - "ProcessedAt": "2024-06-24T12:45:06.706Z", - "AwsAccountName": "account2" - } - ] -} diff --git a/tests/fixtures/findings/full/Inspector/acc.json b/tests/fixtures/findings/full/Inspector/acc.json deleted file mode 100644 index da55751..0000000 --- a/tests/fixtures/findings/full/Inspector/acc.json +++ /dev/null @@ -1,154 +0,0 @@ -{ - "AwsAccountId": "012345678912", - "AwsAccountName": "account", - "CompanyName": "Amazon", - "CreatedAt": "2024-11-11T14:40:00.016Z", - "Description": "A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.", - "FindingProviderFields": { - "Types": [ - "Software and Configuration Checks/Vulnerabilities/CVE" - ], - "Severity": { - "Normalized": 70, - "Label": "HIGH" - } - }, - "FirstObservedAt": "2024-11-11T14:40:00.016Z", - "GeneratorId": "AWSInspector", - "Id": "arn:aws:inspector2:eu-west-1:012345678912:finding/ioperfb9d83b0ee89c7140b30eed5lf9", - "LastObservedAt": "2024-11-11T14:40:00.016Z", - "ProcessedAt": "2024-11-11T14:45:08.567Z", - "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/inspector", - "ProductFields": { - "aws/inspector/ProductVersion": "2", - "aws/inspector/FindingStatus": "CLOSED", - "aws/inspector/inspectorScore": "7.5", - "aws/inspector/instanceId": "i-01e8db61387e018b4", - "aws/inspector/resources/1/resourceDetails/awsEc2InstanceDetails/platform": "UBUNTU_22_04", - "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/inspector/arn:aws:inspector2:eu-west-1:012345678912:finding/ff4ebfb9d83b0ee89c7140b30eed5ef9", - "aws/securityhub/ProductName": "Inspector", - "aws/securityhub/CompanyName": "Amazon" - }, - "ProductName": "Inspector", - "RecordState": "ARCHIVED", - "Region": "eu-west-1", - "Remediation": { - "Recommendation": { - "Text": "Remediation is available. Please refer to the Fixed version in the vulnerability details section above.For detailed remediation guidance for each of the affected packages, refer to the vulnerabilities section of the detailed finding JSON." - } - }, - "Resources": [ - { - "Details": { - "AwsEc2Instance": { - "Type": "t3.large", - "VpcId": "vpc-0d165124e6f1211e6", - "ImageId": "ami-030c1a56dd9a0ccd8", - "IpV4Addresses": [ - "192.168.0.74" - ], - "SubnetId": "subnet-062ae210766aa9614", - "LaunchedAt": "2024-11-11T14:38:42.000Z", - "IamInstanceProfileArn": "arn:aws:iam::012345678912:instance-profile/example/example-profile" - } - }, - "Id": "arn:aws:ec2:eu-west-1:012345678912:instance/i-01e8db61387e018b4", - "Partition": "aws", - "Region": "eu-west-1", - "Tags": { - "aws:ec2:fleet-id": "fleet-28b70307-1da4-e616-0cb8-0d20555fe75c", - "ghr:environment": "example", - "aws:ec2launchtemplate:version": "9", - "aws:ec2launchtemplate:id": "lt-0c064043433a6dcfe", - "Name": "example-action-runner" - }, - "Type": "AwsEc2Instance" - } - ], - "SchemaVersion": "2018-10-08", - "Severity": { - "Label": "HIGH", - "Normalized": 70 - }, - "Title": "CVE-2021-3737 - python3.10, python3.10-minimal", - "Types": [ - "Software and Configuration Checks/Vulnerabilities/CVE" - ], - "UpdatedAt": "2024-11-11T14:44:51.175Z", - "Vulnerabilities": [ - { - "Cvss": [ - { - "BaseScore": 7.5, - "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "Source": "UBUNTU_CVE", - "Version": "3.1" - }, - { - "BaseScore": 7.5, - "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "Source": "NVD", - "Version": "3.1" - }, - { - "BaseScore": 7.5, - "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "Source": "UBUNTU_CVE", - "Version": "3.1" - } - ], - "EpssScore": 0.01559, - "ExploitAvailable": "NO", - "FixAvailable": "YES", - "Id": "CVE-2021-3737", - "ReferenceUrls": [ - "https://ubuntu.com/security/notices/USN-5083-1", - "https://ubuntu.com/security/notices/USN-5201-1", - "https://ubuntu.com/security/notices/USN-5200-1", - "https://ubuntu.com/security/notices/USN-6891-1", - "https://bugs.python.org/issue44022", - "https://www.cve.org/CVERecord?id=CVE-2021-3737", - "https://ubuntu.com/security/notices/USN-5199-1" - ], - "RelatedVulnerabilities": [ - "USN-5200-1", - "USN-5201-1", - "USN-5083-1", - "USN-6891-1", - "USN-5199-1" - ], - "Vendor": { - "VendorCreatedAt": "2022-03-04T19:15:00.000Z", - "VendorSeverity": "medium", - "Url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-3737.html", - "Name": "UBUNTU_CVE" - }, - "VulnerablePackages": [ - { - "Architecture": "X86_64", - "PackageManager": "OS", - "Version": "3.10.6", - "Epoch": "0", - "FixedInVersion": "0:3.10.12-1~22.04.4", - "Remediation": "apt-get update && apt-get upgrade", - "Release": "1~22.04.2ubuntu1.1", - "Name": "python3.10" - }, - { - "Architecture": "X86_64", - "PackageManager": "OS", - "Version": "3.10.6", - "Epoch": "0", - "FixedInVersion": "0:3.10.12-1~22.04.4", - "Remediation": "apt-get update && apt-get upgrade", - "Release": "1~22.04.2ubuntu1.1", - "Name": "python3.10-minimal" - } - ] - } - ], - "Workflow": { - "Status": "NEW" - }, - "WorkflowState": "NEW" -} diff --git a/tests/fixtures/findings/full/Inspector/dev.json b/tests/fixtures/findings/full/Inspector/dev.json deleted file mode 100644 index 9c15d82..0000000 --- a/tests/fixtures/findings/full/Inspector/dev.json +++ /dev/null @@ -1,154 +0,0 @@ -{ - "AwsAccountId": "012345678912", - "AwsAccountName": "account", - "CompanyName": "Amazon", - "CreatedAt": "2024-11-11T14:40:00.016Z", - "Description": "A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.", - "FindingProviderFields": { - "Types": [ - "Software and Configuration Checks/Vulnerabilities/CVE" - ], - "Severity": { - "Normalized": 70, - "Label": "HIGH" - } - }, - "FirstObservedAt": "2024-11-11T14:40:00.016Z", - "GeneratorId": "AWSInspector", - "Id": "arn:aws:inspector2:eu-west-1:012345678912:finding/ff4ebfb9d83b0ee89c7140b30eed5ef9", - "LastObservedAt": "2024-11-11T14:40:00.016Z", - "ProcessedAt": "2024-11-11T14:45:08.567Z", - "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/inspector", - "ProductFields": { - "aws/inspector/ProductVersion": "2", - "aws/inspector/FindingStatus": "CLOSED", - "aws/inspector/inspectorScore": "7.5", - "aws/inspector/instanceId": "i-01e8db61387e018b4", - "aws/inspector/resources/1/resourceDetails/awsEc2InstanceDetails/platform": "UBUNTU_22_04", - "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/inspector/arn:aws:inspector2:eu-west-1:012345678912:finding/ff4ebfb9d83b0ee89c7140b30eed5ef9", - "aws/securityhub/ProductName": "Inspector", - "aws/securityhub/CompanyName": "Amazon" - }, - "ProductName": "Inspector", - "RecordState": "ARCHIVED", - "Region": "eu-west-1", - "Remediation": { - "Recommendation": { - "Text": "Remediation is available. Please refer to the Fixed version in the vulnerability details section above.For detailed remediation guidance for each of the affected packages, refer to the vulnerabilities section of the detailed finding JSON." - } - }, - "Resources": [ - { - "Details": { - "AwsEc2Instance": { - "Type": "t3.large", - "VpcId": "vpc-0d165124e6f1211e6", - "ImageId": "ami-030c1a56dd9a0ccd8", - "IpV4Addresses": [ - "192.168.0.74" - ], - "SubnetId": "subnet-062ae210766aa9614", - "LaunchedAt": "2024-11-11T14:38:42.000Z", - "IamInstanceProfileArn": "arn:aws:iam::012345678912:instance-profile/example/example-profile" - } - }, - "Id": "arn:aws:ec2:eu-west-1:012345678912:instance/i-01e8db61387e018b4", - "Partition": "aws", - "Region": "eu-west-1", - "Tags": { - "aws:ec2:fleet-id": "fleet-28b70307-1da4-e616-0cb8-0d20555fe75c", - "ghr:environment": "example", - "aws:ec2launchtemplate:version": "9", - "aws:ec2launchtemplate:id": "lt-0c064043433a6dcfe", - "Name": "example-action-runner" - }, - "Type": "AwsEc2Instance" - } - ], - "SchemaVersion": "2018-10-08", - "Severity": { - "Label": "HIGH", - "Normalized": 70 - }, - "Title": "CVE-2021-3737 - python3.10, python3.10-minimal", - "Types": [ - "Software and Configuration Checks/Vulnerabilities/CVE" - ], - "UpdatedAt": "2024-11-11T14:44:51.175Z", - "Vulnerabilities": [ - { - "Cvss": [ - { - "BaseScore": 7.5, - "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "Source": "UBUNTU_CVE", - "Version": "3.1" - }, - { - "BaseScore": 7.5, - "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "Source": "NVD", - "Version": "3.1" - }, - { - "BaseScore": 7.5, - "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "Source": "UBUNTU_CVE", - "Version": "3.1" - } - ], - "EpssScore": 0.01559, - "ExploitAvailable": "NO", - "FixAvailable": "YES", - "Id": "CVE-2021-3737", - "ReferenceUrls": [ - "https://ubuntu.com/security/notices/USN-5083-1", - "https://ubuntu.com/security/notices/USN-5201-1", - "https://ubuntu.com/security/notices/USN-5200-1", - "https://ubuntu.com/security/notices/USN-6891-1", - "https://bugs.python.org/issue44022", - "https://www.cve.org/CVERecord?id=CVE-2021-3737", - "https://ubuntu.com/security/notices/USN-5199-1" - ], - "RelatedVulnerabilities": [ - "USN-5200-1", - "USN-5201-1", - "USN-5083-1", - "USN-6891-1", - "USN-5199-1" - ], - "Vendor": { - "VendorCreatedAt": "2022-03-04T19:15:00.000Z", - "VendorSeverity": "medium", - "Url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-3737.html", - "Name": "UBUNTU_CVE" - }, - "VulnerablePackages": [ - { - "Architecture": "X86_64", - "PackageManager": "OS", - "Version": "3.10.6", - "Epoch": "0", - "FixedInVersion": "0:3.10.12-1~22.04.4", - "Remediation": "apt-get update && apt-get upgrade", - "Release": "1~22.04.2ubuntu1.1", - "Name": "python3.10" - }, - { - "Architecture": "X86_64", - "PackageManager": "OS", - "Version": "3.10.6", - "Epoch": "0", - "FixedInVersion": "0:3.10.12-1~22.04.4", - "Remediation": "apt-get update && apt-get upgrade", - "Release": "1~22.04.2ubuntu1.1", - "Name": "python3.10-minimal" - } - ] - } - ], - "Workflow": { - "Status": "NEW" - }, - "WorkflowState": "NEW" -} diff --git a/tests/fixtures/findings/full/Inspector/prd.json b/tests/fixtures/findings/full/Inspector/prd.json deleted file mode 100644 index 99dac7e..0000000 --- a/tests/fixtures/findings/full/Inspector/prd.json +++ /dev/null @@ -1,154 +0,0 @@ -{ - "AwsAccountId": "012345678912", - "AwsAccountName": "account", - "CompanyName": "Amazon", - "CreatedAt": "2024-11-11T14:40:00.016Z", - "Description": "A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.", - "FindingProviderFields": { - "Types": [ - "Software and Configuration Checks/Vulnerabilities/CVE" - ], - "Severity": { - "Normalized": 70, - "Label": "HIGH" - } - }, - "FirstObservedAt": "2024-11-11T14:40:00.016Z", - "GeneratorId": "AWSInspector", - "Id": "arn:aws:inspector2:eu-west-1:012345678912:finding/m58hv3b9d83b0ee89c7140b30eed55kv", - "LastObservedAt": "2024-11-11T14:40:00.016Z", - "ProcessedAt": "2024-11-11T14:45:08.567Z", - "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/inspector", - "ProductFields": { - "aws/inspector/ProductVersion": "2", - "aws/inspector/FindingStatus": "CLOSED", - "aws/inspector/inspectorScore": "7.5", - "aws/inspector/instanceId": "i-01e8db61387e018b4", - "aws/inspector/resources/1/resourceDetails/awsEc2InstanceDetails/platform": "UBUNTU_22_04", - "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/inspector/arn:aws:inspector2:eu-west-1:012345678912:finding/ff4ebfb9d83b0ee89c7140b30eed5ef9", - "aws/securityhub/ProductName": "Inspector", - "aws/securityhub/CompanyName": "Amazon" - }, - "ProductName": "Inspector", - "RecordState": "ARCHIVED", - "Region": "eu-west-1", - "Remediation": { - "Recommendation": { - "Text": "Remediation is available. Please refer to the Fixed version in the vulnerability details section above.For detailed remediation guidance for each of the affected packages, refer to the vulnerabilities section of the detailed finding JSON." - } - }, - "Resources": [ - { - "Details": { - "AwsEc2Instance": { - "Type": "t3.large", - "VpcId": "vpc-0d165124e6f1211e6", - "ImageId": "ami-030c1a56dd9a0ccd8", - "IpV4Addresses": [ - "192.168.0.74" - ], - "SubnetId": "subnet-062ae210766aa9614", - "LaunchedAt": "2024-11-11T14:38:42.000Z", - "IamInstanceProfileArn": "arn:aws:iam::012345678912:instance-profile/example/example-profile" - } - }, - "Id": "arn:aws:ec2:eu-west-1:012345678912:instance/i-01e8db61387e018b4", - "Partition": "aws", - "Region": "eu-west-1", - "Tags": { - "aws:ec2:fleet-id": "fleet-28b70307-1da4-e616-0cb8-0d20555fe75c", - "ghr:environment": "example", - "aws:ec2launchtemplate:version": "9", - "aws:ec2launchtemplate:id": "lt-0c064043433a6dcfe", - "Name": "example-action-runner" - }, - "Type": "AwsEc2Instance" - } - ], - "SchemaVersion": "2018-10-08", - "Severity": { - "Label": "HIGH", - "Normalized": 70 - }, - "Title": "CVE-2021-3737 - python3.10, python3.10-minimal", - "Types": [ - "Software and Configuration Checks/Vulnerabilities/CVE" - ], - "UpdatedAt": "2024-11-11T14:44:51.175Z", - "Vulnerabilities": [ - { - "Cvss": [ - { - "BaseScore": 7.5, - "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "Source": "UBUNTU_CVE", - "Version": "3.1" - }, - { - "BaseScore": 7.5, - "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "Source": "NVD", - "Version": "3.1" - }, - { - "BaseScore": 7.5, - "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "Source": "UBUNTU_CVE", - "Version": "3.1" - } - ], - "EpssScore": 0.01559, - "ExploitAvailable": "NO", - "FixAvailable": "YES", - "Id": "CVE-2021-3737", - "ReferenceUrls": [ - "https://ubuntu.com/security/notices/USN-5083-1", - "https://ubuntu.com/security/notices/USN-5201-1", - "https://ubuntu.com/security/notices/USN-5200-1", - "https://ubuntu.com/security/notices/USN-6891-1", - "https://bugs.python.org/issue44022", - "https://www.cve.org/CVERecord?id=CVE-2021-3737", - "https://ubuntu.com/security/notices/USN-5199-1" - ], - "RelatedVulnerabilities": [ - "USN-5200-1", - "USN-5201-1", - "USN-5083-1", - "USN-6891-1", - "USN-5199-1" - ], - "Vendor": { - "VendorCreatedAt": "2022-03-04T19:15:00.000Z", - "VendorSeverity": "medium", - "Url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-3737.html", - "Name": "UBUNTU_CVE" - }, - "VulnerablePackages": [ - { - "Architecture": "X86_64", - "PackageManager": "OS", - "Version": "3.10.6", - "Epoch": "0", - "FixedInVersion": "0:3.10.12-1~22.04.4", - "Remediation": "apt-get update && apt-get upgrade", - "Release": "1~22.04.2ubuntu1.1", - "Name": "python3.10" - }, - { - "Architecture": "X86_64", - "PackageManager": "OS", - "Version": "3.10.6", - "Epoch": "0", - "FixedInVersion": "0:3.10.12-1~22.04.4", - "Remediation": "apt-get update && apt-get upgrade", - "Release": "1~22.04.2ubuntu1.1", - "Name": "python3.10-minimal" - } - ] - } - ], - "Workflow": { - "Status": "NEW" - }, - "WorkflowState": "NEW" -} diff --git a/tests/fixtures/findings/full/S3.14/acc.json b/tests/fixtures/findings/full/S3.14/acc.json deleted file mode 100644 index 099b04e..0000000 --- a/tests/fixtures/findings/full/S3.14/acc.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "SchemaVersion": "2018-10-08", - "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.14/finding/e27c3ee5-4616-4d32-9eaf-adcf01921246", - "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub", - "ProductName": "Security Hub", - "CompanyName": "AWS", - "Region": "eu-west-1", - "GeneratorId": "security-control/S3.14", - "AwsAccountId": "988763490897", - "Types": [ - "Software and Configuration Checks/Industry and Regulatory Standards" - ], - "FirstObservedAt": "2024-07-24T19:02:50.270Z", - "LastObservedAt": "2024-07-24T19:05:18.868Z", - "CreatedAt": "2024-07-24T19:02:50.270Z", - "UpdatedAt": "2024-07-24T19:05:05.304Z", - "Severity": { - "Label": "LOW", - "Normalized": 1, - "Original": "LOW" - }, - "Title": "S3 general purpose buckets should have versioning enabled", - "Description": "This control checks whether an Amazon S3 general purpose bucket has versioning enabled. The control fails if versioning is suspended for the bucket.", - "Remediation": { - "Recommendation": { - "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", - "Url": "https://docs.aws.amazon.com/console/securityhub/S3.14/remediation" - } - }, - "ProductFields": { - "RelatedAWSResources:0/name": "securityhub-s3-bucket-versioning-enabled-a376307d", - "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", - "aws/securityhub/ProductName": "Security Hub", - "aws/securityhub/CompanyName": "AWS", - "Resources:0/Id": "arn:aws:s3:::boeket-acc", - "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/securityhub/arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.14/finding/e27c3ee5-4616-4d32-9eaf-adcf01921246" - }, - "Resources": [ - { - "Type": "AwsS3Bucket", - "Id": "arn:aws:s3:::boeket-acc", - "Partition": "aws", - "Region": "eu-west-1", - "Tags": { - "ManagedBy": "CFN" - }, - "Details": { - "AwsS3Bucket": { - "OwnerId": "2240facc0082445db039bc31ec992cbbcbdc1f0f703d4f3dac0f91273a05d33f", - "CreatedAt": "2024-07-24T19:02:06.000Z", - "Name": "boeket-acc" - } - } - } - ], - "Compliance": { - "Status": "FAILED", - "RelatedRequirements": [ - "NIST.800-53.r5 AU-9(2)", - "NIST.800-53.r5 CP-10", - "NIST.800-53.r5 CP-6", - "NIST.800-53.r5 CP-6(1)", - "NIST.800-53.r5 CP-6(2)", - "NIST.800-53.r5 CP-9", - "NIST.800-53.r5 SC-5(2)", - "NIST.800-53.r5 SI-12", - "NIST.800-53.r5 SI-13(5)" - ], - "SecurityControlId": "S3.14", - "AssociatedStandards": [ - { - "StandardsId": "standards/nist-800-53/v/5.0.0" - } - ] - }, - "WorkflowState": "NEW", - "Workflow": { - "Status": "NEW" - }, - "RecordState": "ACTIVE", - "FindingProviderFields": { - "Severity": { - "Label": "LOW", - "Original": "LOW" - }, - "Types": [ - "Software and Configuration Checks/Industry and Regulatory Standards" - ] - }, - "ProcessedAt": "2024-07-24T19:05:21.841Z", - "AwsAccountName": "watcher" -} \ No newline at end of file diff --git a/tests/fixtures/findings/full/S3.14/dev.json b/tests/fixtures/findings/full/S3.14/dev.json deleted file mode 100644 index 26907dc..0000000 --- a/tests/fixtures/findings/full/S3.14/dev.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "SchemaVersion": "2018-10-08", - "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.14/finding/4b0d331f-2396-4663-847b-344126c3e780", - "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub", - "ProductName": "Security Hub", - "CompanyName": "AWS", - "Region": "eu-west-1", - "GeneratorId": "security-control/S3.14", - "AwsAccountId": "988763490897", - "Types": [ - "Software and Configuration Checks/Industry and Regulatory Standards" - ], - "FirstObservedAt": "2024-07-24T19:02:50.271Z", - "LastObservedAt": "2024-07-24T19:07:24.672Z", - "CreatedAt": "2024-07-24T19:02:50.271Z", - "UpdatedAt": "2024-07-24T19:07:14.170Z", - "Severity": { - "Label": "LOW", - "Normalized": 1, - "Original": "LOW" - }, - "Title": "S3 general purpose buckets should have versioning enabled", - "Description": "This control checks whether an Amazon S3 general purpose bucket has versioning enabled. The control fails if versioning is suspended for the bucket.", - "Remediation": { - "Recommendation": { - "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", - "Url": "https://docs.aws.amazon.com/console/securityhub/S3.14/remediation" - } - }, - "ProductFields": { - "RelatedAWSResources:0/name": "securityhub-s3-bucket-versioning-enabled-a376307d", - "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", - "aws/securityhub/ProductName": "Security Hub", - "aws/securityhub/CompanyName": "AWS", - "Resources:0/Id": "arn:aws:s3:::boeket-dev", - "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/securityhub/arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.14/finding/4b0d331f-2396-4663-847b-344126c3e780" - }, - "Resources": [ - { - "Type": "AwsS3Bucket", - "Id": "arn:aws:s3:::boeket-dev", - "Partition": "aws", - "Region": "eu-west-1", - "Tags": { - "ManagedBy": "Pulumi", - "Terraform": "ManagedBy" - }, - "Details": { - "AwsS3Bucket": { - "OwnerId": "2240facc0082445db039bc31ec992cbbcbdc1f0f703d4f3dac0f91273a05d33f", - "CreatedAt": "2024-07-24T19:01:29.000Z", - "Name": "boeket-dev" - } - } - } - ], - "Compliance": { - "Status": "FAILED", - "RelatedRequirements": [ - "NIST.800-53.r5 AU-9(2)", - "NIST.800-53.r5 CP-10", - "NIST.800-53.r5 CP-6", - "NIST.800-53.r5 CP-6(1)", - "NIST.800-53.r5 CP-6(2)", - "NIST.800-53.r5 CP-9", - "NIST.800-53.r5 SC-5(2)", - "NIST.800-53.r5 SI-12", - "NIST.800-53.r5 SI-13(5)" - ], - "SecurityControlId": "S3.14", - "AssociatedStandards": [ - { - "StandardsId": "standards/nist-800-53/v/5.0.0" - } - ] - }, - "WorkflowState": "NEW", - "Workflow": { - "Status": "NEW" - }, - "RecordState": "ACTIVE", - "FindingProviderFields": { - "Severity": { - "Label": "LOW", - "Original": "LOW" - }, - "Types": [ - "Software and Configuration Checks/Industry and Regulatory Standards" - ] - }, - "ProcessedAt": "2024-07-24T19:07:28.104Z", - "AwsAccountName": "watcher" -} \ No newline at end of file diff --git a/tests/fixtures/findings/full/S3.14/prd.json b/tests/fixtures/findings/full/S3.14/prd.json deleted file mode 100644 index 25facd7..0000000 --- a/tests/fixtures/findings/full/S3.14/prd.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "SchemaVersion": "2018-10-08", - "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.14/finding/db101219-4b19-4176-a660-490d30b7945d", - "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub", - "ProductName": "Security Hub", - "CompanyName": "AWS", - "Region": "eu-west-1", - "GeneratorId": "security-control/S3.14", - "AwsAccountId": "988763490897", - "Types": [ - "Software and Configuration Checks/Industry and Regulatory Standards" - ], - "FirstObservedAt": "2024-07-24T19:05:05.304Z", - "LastObservedAt": "2024-07-24T19:05:20.186Z", - "CreatedAt": "2024-07-24T19:05:05.304Z", - "UpdatedAt": "2024-07-24T19:05:05.304Z", - "Severity": { - "Label": "LOW", - "Normalized": 1, - "Original": "LOW" - }, - "Title": "S3 general purpose buckets should have versioning enabled", - "Description": "This control checks whether an Amazon S3 general purpose bucket has versioning enabled. The control fails if versioning is suspended for the bucket.", - "Remediation": { - "Recommendation": { - "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", - "Url": "https://docs.aws.amazon.com/console/securityhub/S3.14/remediation" - } - }, - "ProductFields": { - "RelatedAWSResources:0/name": "securityhub-s3-bucket-versioning-enabled-a376307d", - "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", - "aws/securityhub/ProductName": "Security Hub", - "aws/securityhub/CompanyName": "AWS", - "Resources:0/Id": "arn:aws:s3:::boeket-prd", - "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/securityhub/arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.14/finding/db101219-4b19-4176-a660-490d30b7945d" - }, - "Resources": [ - { - "Type": "AwsS3Bucket", - "Id": "arn:aws:s3:::boeket-prd", - "Partition": "aws", - "Region": "eu-west-1", - "Tags": { - "ManagedBy": "Terraform" - }, - "Details": { - "AwsS3Bucket": { - "OwnerId": "2240facc0082445db039bc31ec992cbbcbdc1f0f703d4f3dac0f91273a05d33f", - "CreatedAt": "2024-07-24T19:02:52.000Z", - "Name": "boeket-prd" - } - } - } - ], - "Compliance": { - "Status": "FAILED", - "RelatedRequirements": [ - "NIST.800-53.r5 AU-9(2)", - "NIST.800-53.r5 CP-10", - "NIST.800-53.r5 CP-6", - "NIST.800-53.r5 CP-6(1)", - "NIST.800-53.r5 CP-6(2)", - "NIST.800-53.r5 CP-9", - "NIST.800-53.r5 SC-5(2)", - "NIST.800-53.r5 SI-12", - "NIST.800-53.r5 SI-13(5)" - ], - "SecurityControlId": "S3.14", - "AssociatedStandards": [ - { - "StandardsId": "standards/nist-800-53/v/5.0.0" - } - ] - }, - "WorkflowState": "NEW", - "Workflow": { - "Status": "NEW" - }, - "RecordState": "ACTIVE", - "FindingProviderFields": { - "Severity": { - "Label": "LOW", - "Original": "LOW" - }, - "Types": [ - "Software and Configuration Checks/Industry and Regulatory Standards" - ] - }, - "ProcessedAt": "2024-07-24T19:05:23.098Z", - "AwsAccountName": "watcher" -} \ No newline at end of file diff --git a/tests/fixtures/findings/full/S3.20/acc.json b/tests/fixtures/findings/full/S3.20/acc.json deleted file mode 100644 index f14f185..0000000 --- a/tests/fixtures/findings/full/S3.20/acc.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "SchemaVersion": "2018-10-08", - "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.20/finding/2e14352c-2bb5-4dfc-88af-71467172d92f", - "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub", - "ProductName": "Security Hub", - "CompanyName": "AWS", - "Region": "eu-west-1", - "GeneratorId": "security-control/S3.20", - "AwsAccountId": "988763490897", - "Types": [ - "Software and Configuration Checks/Industry and Regulatory Standards" - ], - "FirstObservedAt": "2024-07-24T19:02:51.161Z", - "LastObservedAt": "2024-07-24T19:05:23.043Z", - "CreatedAt": "2024-07-24T19:02:51.161Z", - "UpdatedAt": "2024-07-24T19:05:07.028Z", - "Severity": { - "Label": "LOW", - "Normalized": 1, - "Original": "LOW" - }, - "Title": "S3 general purpose buckets should have MFA delete enabled", - "Description": "This control checks if multi-factor authentication (MFA) delete is enabled on an Amazon S3 general purpose bucket. The control fails if MFA delete isn't enabled on the bucket.", - "Remediation": { - "Recommendation": { - "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", - "Url": "https://docs.aws.amazon.com/console/securityhub/S3.20/remediation" - } - }, - "ProductFields": { - "RelatedAWSResources:0/name": "securityhub-s3-bucket-mfa-delete-enabled-ecb9e4b4", - "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", - "aws/securityhub/ProductName": "Security Hub", - "aws/securityhub/CompanyName": "AWS", - "Resources:0/Id": "arn:aws:s3:::boeket-acc", - "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/securityhub/arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.20/finding/2e14352c-2bb5-4dfc-88af-71467172d92f" - }, - "Resources": [ - { - "Type": "AwsS3Bucket", - "Id": "arn:aws:s3:::boeket-acc", - "Partition": "aws", - "Region": "eu-west-1", - "Tags": { - "ManagedBy": "CFN" - }, - "Details": { - "AwsS3Bucket": { - "OwnerId": "2240facc0082445db039bc31ec992cbbcbdc1f0f703d4f3dac0f91273a05d33f", - "CreatedAt": "2024-07-24T19:02:06.000Z", - "Name": "boeket-acc" - } - } - } - ], - "Compliance": { - "Status": "FAILED", - "RelatedRequirements": [ - "CIS AWS Foundations Benchmark v1.4.0/2.1.3", - "CIS AWS Foundations Benchmark v3.0.0/2.1.2", - "NIST.800-53.r5 CA-9(1)", - "NIST.800-53.r5 CM-2", - "NIST.800-53.r5 CM-2(2)", - "NIST.800-53.r5 CM-3", - "NIST.800-53.r5 SC-5(2)" - ], - "SecurityControlId": "S3.20", - "AssociatedStandards": [ - { - "StandardsId": "standards/cis-aws-foundations-benchmark/v/1.4.0" - }, - { - "StandardsId": "standards/cis-aws-foundations-benchmark/v/3.0.0" - }, - { - "StandardsId": "standards/nist-800-53/v/5.0.0" - } - ] - }, - "WorkflowState": "NEW", - "Workflow": { - "Status": "NEW" - }, - "RecordState": "ACTIVE", - "FindingProviderFields": { - "Severity": { - "Label": "LOW", - "Original": "LOW" - }, - "Types": [ - "Software and Configuration Checks/Industry and Regulatory Standards" - ] - }, - "ProcessedAt": "2024-07-24T19:05:26.294Z", - "AwsAccountName": "watcher" -} \ No newline at end of file diff --git a/tests/fixtures/findings/full/S3.20/dev.json b/tests/fixtures/findings/full/S3.20/dev.json deleted file mode 100644 index ff313ba..0000000 --- a/tests/fixtures/findings/full/S3.20/dev.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "SchemaVersion": "2018-10-08", - "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.20/finding/45fee04a-22ed-4242-a316-ebaecd5a1b36", - "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub", - "ProductName": "Security Hub", - "CompanyName": "AWS", - "Region": "eu-west-1", - "GeneratorId": "security-control/S3.20", - "AwsAccountId": "988763490897", - "Types": [ - "Software and Configuration Checks/Industry and Regulatory Standards" - ], - "FirstObservedAt": "2024-07-24T19:02:51.160Z", - "LastObservedAt": "2024-07-24T19:07:23.639Z", - "CreatedAt": "2024-07-24T19:02:51.160Z", - "UpdatedAt": "2024-07-24T19:07:15.150Z", - "Severity": { - "Label": "LOW", - "Normalized": 1, - "Original": "LOW" - }, - "Title": "S3 general purpose buckets should have MFA delete enabled", - "Description": "This control checks if multi-factor authentication (MFA) delete is enabled on an Amazon S3 general purpose bucket. The control fails if MFA delete isn't enabled on the bucket.", - "Remediation": { - "Recommendation": { - "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", - "Url": "https://docs.aws.amazon.com/console/securityhub/S3.20/remediation" - } - }, - "ProductFields": { - "RelatedAWSResources:0/name": "securityhub-s3-bucket-mfa-delete-enabled-ecb9e4b4", - "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", - "aws/securityhub/ProductName": "Security Hub", - "aws/securityhub/CompanyName": "AWS", - "Resources:0/Id": "arn:aws:s3:::boeket-dev", - "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/securityhub/arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.20/finding/45fee04a-22ed-4242-a316-ebaecd5a1b36" - }, - "Resources": [ - { - "Type": "AwsS3Bucket", - "Id": "arn:aws:s3:::boeket-dev", - "Partition": "aws", - "Region": "eu-west-1", - "Tags": { - "ManagedBy": "Pulumi", - "Terraform": "ManagedBy" - }, - "Details": { - "AwsS3Bucket": { - "OwnerId": "2240facc0082445db039bc31ec992cbbcbdc1f0f703d4f3dac0f91273a05d33f", - "CreatedAt": "2024-07-24T19:01:29.000Z", - "Name": "boeket-dev" - } - } - } - ], - "Compliance": { - "Status": "FAILED", - "RelatedRequirements": [ - "CIS AWS Foundations Benchmark v1.4.0/2.1.3", - "CIS AWS Foundations Benchmark v3.0.0/2.1.2", - "NIST.800-53.r5 CA-9(1)", - "NIST.800-53.r5 CM-2", - "NIST.800-53.r5 CM-2(2)", - "NIST.800-53.r5 CM-3", - "NIST.800-53.r5 SC-5(2)" - ], - "SecurityControlId": "S3.20", - "AssociatedStandards": [ - { - "StandardsId": "standards/cis-aws-foundations-benchmark/v/1.4.0" - }, - { - "StandardsId": "standards/cis-aws-foundations-benchmark/v/3.0.0" - }, - { - "StandardsId": "standards/nist-800-53/v/5.0.0" - } - ] - }, - "WorkflowState": "NEW", - "Workflow": { - "Status": "NEW" - }, - "RecordState": "ACTIVE", - "FindingProviderFields": { - "Severity": { - "Label": "LOW", - "Original": "LOW" - }, - "Types": [ - "Software and Configuration Checks/Industry and Regulatory Standards" - ] - }, - "ProcessedAt": "2024-07-24T19:07:26.943Z", - "AwsAccountName": "watcher" -} \ No newline at end of file diff --git a/tests/fixtures/findings/full/S3.20/prd.json b/tests/fixtures/findings/full/S3.20/prd.json deleted file mode 100644 index 8a3a5c8..0000000 --- a/tests/fixtures/findings/full/S3.20/prd.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "SchemaVersion": "2018-10-08", - "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.20/finding/c9403a5e-0f03-45f6-a85e-754f043a6b10", - "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub", - "ProductName": "Security Hub", - "CompanyName": "AWS", - "Region": "eu-west-1", - "GeneratorId": "security-control/S3.20", - "AwsAccountId": "988763490897", - "Types": [ - "Software and Configuration Checks/Industry and Regulatory Standards" - ], - "FirstObservedAt": "2024-07-24T19:04:59.056Z", - "LastObservedAt": "2024-07-24T19:05:08.787Z", - "CreatedAt": "2024-07-24T19:04:59.056Z", - "UpdatedAt": "2024-07-24T19:04:59.056Z", - "Severity": { - "Label": "LOW", - "Normalized": 1, - "Original": "LOW" - }, - "Title": "S3 general purpose buckets should have MFA delete enabled", - "Description": "This control checks if multi-factor authentication (MFA) delete is enabled on an Amazon S3 general purpose bucket. The control fails if MFA delete isn't enabled on the bucket.", - "Remediation": { - "Recommendation": { - "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", - "Url": "https://docs.aws.amazon.com/console/securityhub/S3.20/remediation" - } - }, - "ProductFields": { - "RelatedAWSResources:0/name": "securityhub-s3-bucket-mfa-delete-enabled-ecb9e4b4", - "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", - "aws/securityhub/ProductName": "Security Hub", - "aws/securityhub/CompanyName": "AWS", - "Resources:0/Id": "arn:aws:s3:::boeket-prd", - "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/securityhub/arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.20/finding/c9403a5e-0f03-45f6-a85e-754f043a6b10" - }, - "Resources": [ - { - "Type": "AwsS3Bucket", - "Id": "arn:aws:s3:::boeket-prd", - "Partition": "aws", - "Region": "eu-west-1", - "Tags": { - "ManagedBy": "Terraform" - }, - "Details": { - "AwsS3Bucket": { - "OwnerId": "2240facc0082445db039bc31ec992cbbcbdc1f0f703d4f3dac0f91273a05d33f", - "CreatedAt": "2024-07-24T19:02:52.000Z", - "Name": "boeket-prd" - } - } - } - ], - "Compliance": { - "Status": "FAILED", - "RelatedRequirements": [ - "CIS AWS Foundations Benchmark v1.4.0/2.1.3", - "CIS AWS Foundations Benchmark v3.0.0/2.1.2", - "NIST.800-53.r5 CA-9(1)", - "NIST.800-53.r5 CM-2", - "NIST.800-53.r5 CM-2(2)", - "NIST.800-53.r5 CM-3", - "NIST.800-53.r5 SC-5(2)" - ], - "SecurityControlId": "S3.20", - "AssociatedStandards": [ - { - "StandardsId": "standards/cis-aws-foundations-benchmark/v/1.4.0" - }, - { - "StandardsId": "standards/cis-aws-foundations-benchmark/v/3.0.0" - }, - { - "StandardsId": "standards/nist-800-53/v/5.0.0" - } - ] - }, - "WorkflowState": "NEW", - "Workflow": { - "Status": "NEW" - }, - "RecordState": "ACTIVE", - "FindingProviderFields": { - "Severity": { - "Label": "LOW", - "Original": "LOW" - }, - "Types": [ - "Software and Configuration Checks/Industry and Regulatory Standards" - ] - }, - "ProcessedAt": "2024-07-24T19:05:12.057Z", - "AwsAccountName": "watcher" -} \ No newline at end of file diff --git a/tests/fixtures/findings/full/S3.8/acc.json b/tests/fixtures/findings/full/S3.8/acc.json deleted file mode 100644 index 52e3b94..0000000 --- a/tests/fixtures/findings/full/S3.8/acc.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "SchemaVersion": "2018-10-08", - "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.8/finding/1ed5c403-ee76-491a-8248-0a5258972d3e", - "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub", - "ProductName": "Security Hub", - "CompanyName": "AWS", - "Region": "eu-west-1", - "GeneratorId": "security-control/S3.8", - "AwsAccountId": "988763490897", - "Types": [ - "Software and Configuration Checks/Industry and Regulatory Standards" - ], - "FirstObservedAt": "2024-07-24T19:02:49.891Z", - "LastObservedAt": "2024-07-24T19:05:20.291Z", - "CreatedAt": "2024-07-24T19:02:49.891Z", - "UpdatedAt": "2024-07-24T19:05:04.979Z", - "Severity": { - "Label": "HIGH", - "Normalized": 70, - "Original": "HIGH" - }, - "Title": "S3 general purpose buckets should block public access", - "Description": "This control checks whether an Amazon S3 general purpose bucket blocks public access at the bucket level. The control fails if any of the following settings are set to false: ignorePublicAcls, blockPublicPolicy, blockPublicAcls, restrictPublicBuckets.", - "Remediation": { - "Recommendation": { - "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", - "Url": "https://docs.aws.amazon.com/console/securityhub/S3.8/remediation" - } - }, - "ProductFields": { - "RelatedAWSResources:0/name": "securityhub-s3-bucket-level-public-access-prohibited-f646f60c", - "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", - "aws/securityhub/ProductName": "Security Hub", - "aws/securityhub/CompanyName": "AWS", - "aws/securityhub/annotation": "PublicAccessBlockConfigurations are incorrect for block_public_acls: False ignore_public_acls: False block_public_policy: False restrict_public_buckets False", - "Resources:0/Id": "arn:aws:s3:::boeket-acc", - "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/securityhub/arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.8/finding/1ed5c403-ee76-491a-8248-0a5258972d3e" - }, - "Resources": [ - { - "Type": "AwsS3Bucket", - "Id": "arn:aws:s3:::boeket-acc", - "Partition": "aws", - "Region": "eu-west-1", - "Tags": { - "ManagedBy": "CFN" - }, - "Details": { - "AwsS3Bucket": { - "OwnerId": "2240facc0082445db039bc31ec992cbbcbdc1f0f703d4f3dac0f91273a05d33f", - "CreatedAt": "2024-07-24T19:02:06.000Z", - "Name": "boeket-acc" - } - } - } - ], - "Compliance": { - "Status": "FAILED", - "RelatedRequirements": [ - "CIS AWS Foundations Benchmark v1.4.0/2.1.5", - "CIS AWS Foundations Benchmark v3.0.0/2.1.4", - "NIST.800-53.r5 AC-21", - "NIST.800-53.r5 AC-3", - "NIST.800-53.r5 AC-3(7)", - "NIST.800-53.r5 AC-4", - "NIST.800-53.r5 AC-4(21)", - "NIST.800-53.r5 AC-6", - "NIST.800-53.r5 SC-7", - "NIST.800-53.r5 SC-7(11)", - "NIST.800-53.r5 SC-7(16)", - "NIST.800-53.r5 SC-7(20)", - "NIST.800-53.r5 SC-7(21)", - "NIST.800-53.r5 SC-7(3)", - "NIST.800-53.r5 SC-7(4)", - "NIST.800-53.r5 SC-7(9)" - ], - "SecurityControlId": "S3.8", - "AssociatedStandards": [ - { - "StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0" - }, - { - "StandardsId": "standards/cis-aws-foundations-benchmark/v/1.4.0" - }, - { - "StandardsId": "standards/cis-aws-foundations-benchmark/v/3.0.0" - }, - { - "StandardsId": "standards/nist-800-53/v/5.0.0" - } - ] - }, - "WorkflowState": "NEW", - "Workflow": { - "Status": "NEW" - }, - "RecordState": "ACTIVE", - "FindingProviderFields": { - "Severity": { - "Label": "HIGH", - "Original": "HIGH" - }, - "Types": [ - "Software and Configuration Checks/Industry and Regulatory Standards" - ] - }, - "ProcessedAt": "2024-07-24T19:05:23.489Z", - "AwsAccountName": "watcher" -} \ No newline at end of file diff --git a/tests/fixtures/findings/full/S3.8/dev.json b/tests/fixtures/findings/full/S3.8/dev.json deleted file mode 100644 index cba388e..0000000 --- a/tests/fixtures/findings/full/S3.8/dev.json +++ /dev/null @@ -1,110 +0,0 @@ -{ - "SchemaVersion": "2018-10-08", - "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.8/finding/09af4f16-0995-4b3f-802e-e8acc30a0977", - "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub", - "ProductName": "Security Hub", - "CompanyName": "AWS", - "Region": "eu-west-1", - "GeneratorId": "security-control/S3.8", - "AwsAccountId": "988763490897", - "Types": [ - "Software and Configuration Checks/Industry and Regulatory Standards" - ], - "FirstObservedAt": "2024-07-24T19:02:49.890Z", - "LastObservedAt": "2024-07-24T19:07:20.369Z", - "CreatedAt": "2024-07-24T19:02:49.890Z", - "UpdatedAt": "2024-07-24T19:07:13.307Z", - "Severity": { - "Label": "HIGH", - "Normalized": 70, - "Original": "HIGH" - }, - "Title": "S3 general purpose buckets should block public access", - "Description": "This control checks whether an Amazon S3 general purpose bucket blocks public access at the bucket level. The control fails if any of the following settings are set to false: ignorePublicAcls, blockPublicPolicy, blockPublicAcls, restrictPublicBuckets.", - "Remediation": { - "Recommendation": { - "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", - "Url": "https://docs.aws.amazon.com/console/securityhub/S3.8/remediation" - } - }, - "ProductFields": { - "RelatedAWSResources:0/name": "securityhub-s3-bucket-level-public-access-prohibited-f646f60c", - "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", - "aws/securityhub/ProductName": "Security Hub", - "aws/securityhub/CompanyName": "AWS", - "aws/securityhub/annotation": "PublicAccessBlockConfigurations are incorrect for block_public_acls: False ignore_public_acls: False block_public_policy: False restrict_public_buckets False", - "Resources:0/Id": "arn:aws:s3:::boeket-dev", - "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/securityhub/arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.8/finding/09af4f16-0995-4b3f-802e-e8acc30a0977" - }, - "Resources": [ - { - "Type": "AwsS3Bucket", - "Id": "arn:aws:s3:::boeket-dev", - "Partition": "aws", - "Region": "eu-west-1", - "Tags": { - "ManagedBy": "Pulumi", - "Terraform": "ManagedBy" - }, - "Details": { - "AwsS3Bucket": { - "OwnerId": "2240facc0082445db039bc31ec992cbbcbdc1f0f703d4f3dac0f91273a05d33f", - "CreatedAt": "2024-07-24T19:01:29.000Z", - "Name": "boeket-dev" - } - } - } - ], - "Compliance": { - "Status": "FAILED", - "RelatedRequirements": [ - "CIS AWS Foundations Benchmark v1.4.0/2.1.5", - "CIS AWS Foundations Benchmark v3.0.0/2.1.4", - "NIST.800-53.r5 AC-21", - "NIST.800-53.r5 AC-3", - "NIST.800-53.r5 AC-3(7)", - "NIST.800-53.r5 AC-4", - "NIST.800-53.r5 AC-4(21)", - "NIST.800-53.r5 AC-6", - "NIST.800-53.r5 SC-7", - "NIST.800-53.r5 SC-7(11)", - "NIST.800-53.r5 SC-7(16)", - "NIST.800-53.r5 SC-7(20)", - "NIST.800-53.r5 SC-7(21)", - "NIST.800-53.r5 SC-7(3)", - "NIST.800-53.r5 SC-7(4)", - "NIST.800-53.r5 SC-7(9)" - ], - "SecurityControlId": "S3.8", - "AssociatedStandards": [ - { - "StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0" - }, - { - "StandardsId": "standards/cis-aws-foundations-benchmark/v/1.4.0" - }, - { - "StandardsId": "standards/cis-aws-foundations-benchmark/v/3.0.0" - }, - { - "StandardsId": "standards/nist-800-53/v/5.0.0" - } - ] - }, - "WorkflowState": "NEW", - "Workflow": { - "Status": "NEW" - }, - "RecordState": "ACTIVE", - "FindingProviderFields": { - "Severity": { - "Label": "HIGH", - "Original": "HIGH" - }, - "Types": [ - "Software and Configuration Checks/Industry and Regulatory Standards" - ] - }, - "ProcessedAt": "2024-07-24T19:07:23.491Z", - "AwsAccountName": "watcher" -} \ No newline at end of file diff --git a/tests/fixtures/findings/full/S3.8/prd.json b/tests/fixtures/findings/full/S3.8/prd.json deleted file mode 100644 index a8cbc62..0000000 --- a/tests/fixtures/findings/full/S3.8/prd.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "SchemaVersion": "2018-10-08", - "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.8/finding/bedcf351-f579-4787-b9e1-04d5b68142cf", - "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub", - "ProductName": "Security Hub", - "CompanyName": "AWS", - "Region": "eu-west-1", - "GeneratorId": "security-control/S3.8", - "AwsAccountId": "988763490897", - "Types": [ - "Software and Configuration Checks/Industry and Regulatory Standards" - ], - "FirstObservedAt": "2024-07-24T19:05:04.979Z", - "LastObservedAt": "2024-07-24T19:05:07.596Z", - "CreatedAt": "2024-07-24T19:05:04.979Z", - "UpdatedAt": "2024-07-24T19:05:04.979Z", - "Severity": { - "Label": "HIGH", - "Normalized": 70, - "Original": "HIGH" - }, - "Title": "S3 general purpose buckets should block public access", - "Description": "This control checks whether an Amazon S3 general purpose bucket blocks public access at the bucket level. The control fails if any of the following settings are set to false: ignorePublicAcls, blockPublicPolicy, blockPublicAcls, restrictPublicBuckets.", - "Remediation": { - "Recommendation": { - "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", - "Url": "https://docs.aws.amazon.com/console/securityhub/S3.8/remediation" - } - }, - "ProductFields": { - "RelatedAWSResources:0/name": "securityhub-s3-bucket-level-public-access-prohibited-f646f60c", - "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", - "aws/securityhub/ProductName": "Security Hub", - "aws/securityhub/CompanyName": "AWS", - "aws/securityhub/annotation": "PublicAccessBlockConfigurations are incorrect for block_public_acls: False ignore_public_acls: False block_public_policy: False restrict_public_buckets False", - "Resources:0/Id": "arn:aws:s3:::boeket-prd", - "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/securityhub/arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.8/finding/bedcf351-f579-4787-b9e1-04d5b68142cf" - }, - "Resources": [ - { - "Type": "AwsS3Bucket", - "Id": "arn:aws:s3:::boeket-prd", - "Partition": "aws", - "Region": "eu-west-1", - "Tags": { - "ManagedBy": "Terraform" - }, - "Details": { - "AwsS3Bucket": { - "OwnerId": "2240facc0082445db039bc31ec992cbbcbdc1f0f703d4f3dac0f91273a05d33f", - "CreatedAt": "2024-07-24T19:02:52.000Z", - "Name": "boeket-prd" - } - } - } - ], - "Compliance": { - "Status": "FAILED", - "RelatedRequirements": [ - "CIS AWS Foundations Benchmark v1.4.0/2.1.5", - "CIS AWS Foundations Benchmark v3.0.0/2.1.4", - "NIST.800-53.r5 AC-21", - "NIST.800-53.r5 AC-3", - "NIST.800-53.r5 AC-3(7)", - "NIST.800-53.r5 AC-4", - "NIST.800-53.r5 AC-4(21)", - "NIST.800-53.r5 AC-6", - "NIST.800-53.r5 SC-7", - "NIST.800-53.r5 SC-7(11)", - "NIST.800-53.r5 SC-7(16)", - "NIST.800-53.r5 SC-7(20)", - "NIST.800-53.r5 SC-7(21)", - "NIST.800-53.r5 SC-7(3)", - "NIST.800-53.r5 SC-7(4)", - "NIST.800-53.r5 SC-7(9)" - ], - "SecurityControlId": "S3.8", - "AssociatedStandards": [ - { - "StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0" - }, - { - "StandardsId": "standards/cis-aws-foundations-benchmark/v/1.4.0" - }, - { - "StandardsId": "standards/cis-aws-foundations-benchmark/v/3.0.0" - }, - { - "StandardsId": "standards/nist-800-53/v/5.0.0" - } - ] - }, - "WorkflowState": "NEW", - "Workflow": { - "Status": "NEW" - }, - "RecordState": "ACTIVE", - "FindingProviderFields": { - "Severity": { - "Label": "HIGH", - "Original": "HIGH" - }, - "Types": [ - "Software and Configuration Checks/Industry and Regulatory Standards" - ] - }, - "ProcessedAt": "2024-07-24T19:05:09.226Z", - "AwsAccountName": "watcher" -} \ No newline at end of file diff --git a/tests/fixtures/findings/full/S3.9/acc.json b/tests/fixtures/findings/full/S3.9/acc.json deleted file mode 100644 index ce81421..0000000 --- a/tests/fixtures/findings/full/S3.9/acc.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "SchemaVersion": "2018-10-08", - "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.9/finding/71a625e2-1a57-4fee-bc3f-22cf3f9f9e57", - "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub", - "ProductName": "Security Hub", - "CompanyName": "AWS", - "Region": "eu-west-1", - "GeneratorId": "security-control/S3.9", - "AwsAccountId": "988763490897", - "Types": [ - "Software and Configuration Checks/Industry and Regulatory Standards" - ], - "FirstObservedAt": "2024-07-24T19:02:52.835Z", - "LastObservedAt": "2024-07-24T19:05:15.218Z", - "CreatedAt": "2024-07-24T19:02:52.835Z", - "UpdatedAt": "2024-07-24T19:05:08.371Z", - "Severity": { - "Label": "MEDIUM", - "Normalized": 40, - "Original": "MEDIUM" - }, - "Title": "S3 general purpose buckets should have server access logging enabled", - "Description": "This control checks whether server access logging is enabled for an Amazon S3 general purpose bucket. The control fails if server access logging isn't enabled. When logging is enabled, Amazon S3 delivers access logs for a source bucket to a chosen target bucket. The target bucket must be in the same AWS Region as the source bucket and must not have a default retention period configured. The target logging bucket does not need to have server access logging enabled, and you should suppress findings for this bucket.", - "Remediation": { - "Recommendation": { - "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", - "Url": "https://docs.aws.amazon.com/console/securityhub/S3.9/remediation" - } - }, - "ProductFields": { - "RelatedAWSResources:0/name": "securityhub-s3-bucket-logging-enabled-a2569319", - "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", - "aws/securityhub/ProductName": "Security Hub", - "aws/securityhub/CompanyName": "AWS", - "Resources:0/Id": "arn:aws:s3:::boeket-acc", - "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/securityhub/arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.9/finding/71a625e2-1a57-4fee-bc3f-22cf3f9f9e57" - }, - "Resources": [ - { - "Type": "AwsS3Bucket", - "Id": "arn:aws:s3:::boeket-acc", - "Partition": "aws", - "Region": "eu-west-1", - "Tags": { - "ManagedBy": "CFN" - }, - "Details": { - "AwsS3Bucket": { - "OwnerId": "2240facc0082445db039bc31ec992cbbcbdc1f0f703d4f3dac0f91273a05d33f", - "CreatedAt": "2024-07-24T19:02:06.000Z", - "Name": "boeket-acc" - } - } - } - ], - "Compliance": { - "Status": "FAILED", - "RelatedRequirements": [ - "NIST.800-53.r5 AC-2(4)", - "NIST.800-53.r5 AC-4(26)", - "NIST.800-53.r5 AC-6(9)", - "NIST.800-53.r5 AU-10", - "NIST.800-53.r5 AU-12", - "NIST.800-53.r5 AU-2", - "NIST.800-53.r5 AU-3", - "NIST.800-53.r5 AU-6(3)", - "NIST.800-53.r5 AU-6(4)", - "NIST.800-53.r5 CA-7", - "NIST.800-53.r5 SC-7(9)", - "NIST.800-53.r5 SI-3(8)", - "NIST.800-53.r5 SI-4(20)", - "NIST.800-53.r5 SI-7(8)" - ], - "SecurityControlId": "S3.9", - "AssociatedStandards": [ - { - "StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0" - }, - { - "StandardsId": "standards/nist-800-53/v/5.0.0" - } - ] - }, - "WorkflowState": "NEW", - "Workflow": { - "Status": "NEW" - }, - "RecordState": "ACTIVE", - "FindingProviderFields": { - "Severity": { - "Label": "MEDIUM", - "Original": "MEDIUM" - }, - "Types": [ - "Software and Configuration Checks/Industry and Regulatory Standards" - ] - }, - "ProcessedAt": "2024-07-24T19:05:17.718Z", - "AwsAccountName": "watcher" -} \ No newline at end of file diff --git a/tests/fixtures/findings/full/S3.9/dev.json b/tests/fixtures/findings/full/S3.9/dev.json deleted file mode 100644 index 38d5c1e..0000000 --- a/tests/fixtures/findings/full/S3.9/dev.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "SchemaVersion": "2018-10-08", - "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.9/finding/180e73dc-a807-4ddd-a36a-14696c85ba9e", - "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub", - "ProductName": "Security Hub", - "CompanyName": "AWS", - "Region": "eu-west-1", - "GeneratorId": "security-control/S3.9", - "AwsAccountId": "988763490897", - "Types": [ - "Software and Configuration Checks/Industry and Regulatory Standards" - ], - "FirstObservedAt": "2024-07-24T19:02:52.834Z", - "LastObservedAt": "2024-07-24T19:07:26.669Z", - "CreatedAt": "2024-07-24T19:02:52.834Z", - "UpdatedAt": "2024-07-24T19:07:18.543Z", - "Severity": { - "Label": "MEDIUM", - "Normalized": 40, - "Original": "MEDIUM" - }, - "Title": "S3 general purpose buckets should have server access logging enabled", - "Description": "This control checks whether server access logging is enabled for an Amazon S3 general purpose bucket. The control fails if server access logging isn't enabled. When logging is enabled, Amazon S3 delivers access logs for a source bucket to a chosen target bucket. The target bucket must be in the same AWS Region as the source bucket and must not have a default retention period configured. The target logging bucket does not need to have server access logging enabled, and you should suppress findings for this bucket.", - "Remediation": { - "Recommendation": { - "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", - "Url": "https://docs.aws.amazon.com/console/securityhub/S3.9/remediation" - } - }, - "ProductFields": { - "RelatedAWSResources:0/name": "securityhub-s3-bucket-logging-enabled-a2569319", - "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", - "aws/securityhub/ProductName": "Security Hub", - "aws/securityhub/CompanyName": "AWS", - "Resources:0/Id": "arn:aws:s3:::boeket-dev", - "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/securityhub/arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.9/finding/180e73dc-a807-4ddd-a36a-14696c85ba9e" - }, - "Resources": [ - { - "Type": "AwsS3Bucket", - "Id": "arn:aws:s3:::boeket-dev", - "Partition": "aws", - "Region": "eu-west-1", - "Tags": { - "ManagedBy": "Pulumi", - "Terraform": "ManagedBy" - }, - "Details": { - "AwsS3Bucket": { - "OwnerId": "2240facc0082445db039bc31ec992cbbcbdc1f0f703d4f3dac0f91273a05d33f", - "CreatedAt": "2024-07-24T19:01:29.000Z", - "Name": "boeket-dev" - } - } - } - ], - "Compliance": { - "Status": "FAILED", - "RelatedRequirements": [ - "NIST.800-53.r5 AC-2(4)", - "NIST.800-53.r5 AC-4(26)", - "NIST.800-53.r5 AC-6(9)", - "NIST.800-53.r5 AU-10", - "NIST.800-53.r5 AU-12", - "NIST.800-53.r5 AU-2", - "NIST.800-53.r5 AU-3", - "NIST.800-53.r5 AU-6(3)", - "NIST.800-53.r5 AU-6(4)", - "NIST.800-53.r5 CA-7", - "NIST.800-53.r5 SC-7(9)", - "NIST.800-53.r5 SI-3(8)", - "NIST.800-53.r5 SI-4(20)", - "NIST.800-53.r5 SI-7(8)" - ], - "SecurityControlId": "S3.9", - "AssociatedStandards": [ - { - "StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0" - }, - { - "StandardsId": "standards/nist-800-53/v/5.0.0" - } - ] - }, - "WorkflowState": "NEW", - "Workflow": { - "Status": "NEW" - }, - "RecordState": "ACTIVE", - "FindingProviderFields": { - "Severity": { - "Label": "MEDIUM", - "Original": "MEDIUM" - }, - "Types": [ - "Software and Configuration Checks/Industry and Regulatory Standards" - ] - }, - "ProcessedAt": "2024-07-24T19:07:29.263Z", - "AwsAccountName": "watcher" -} \ No newline at end of file diff --git a/tests/fixtures/findings/full/S3.9/prd.json b/tests/fixtures/findings/full/S3.9/prd.json deleted file mode 100644 index ab06cdc..0000000 --- a/tests/fixtures/findings/full/S3.9/prd.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "SchemaVersion": "2018-10-08", - "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.9/finding/bcf36529-ad44-4d0e-9e34-647920c266e1", - "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub", - "ProductName": "Security Hub", - "CompanyName": "AWS", - "Region": "eu-west-1", - "GeneratorId": "security-control/S3.9", - "AwsAccountId": "988763490897", - "Types": [ - "Software and Configuration Checks/Industry and Regulatory Standards" - ], - "FirstObservedAt": "2024-07-24T19:05:01.147Z", - "LastObservedAt": "2024-07-24T19:05:15.610Z", - "CreatedAt": "2024-07-24T19:05:01.147Z", - "UpdatedAt": "2024-07-24T19:05:01.147Z", - "Severity": { - "Label": "MEDIUM", - "Normalized": 40, - "Original": "MEDIUM" - }, - "Title": "S3 general purpose buckets should have server access logging enabled", - "Description": "This control checks whether server access logging is enabled for an Amazon S3 general purpose bucket. The control fails if server access logging isn't enabled. When logging is enabled, Amazon S3 delivers access logs for a source bucket to a chosen target bucket. The target bucket must be in the same AWS Region as the source bucket and must not have a default retention period configured. The target logging bucket does not need to have server access logging enabled, and you should suppress findings for this bucket.", - "Remediation": { - "Recommendation": { - "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", - "Url": "https://docs.aws.amazon.com/console/securityhub/S3.9/remediation" - } - }, - "ProductFields": { - "RelatedAWSResources:0/name": "securityhub-s3-bucket-logging-enabled-a2569319", - "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", - "aws/securityhub/ProductName": "Security Hub", - "aws/securityhub/CompanyName": "AWS", - "Resources:0/Id": "arn:aws:s3:::boeket-prd", - "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/securityhub/arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.9/finding/bcf36529-ad44-4d0e-9e34-647920c266e1" - }, - "Resources": [ - { - "Type": "AwsS3Bucket", - "Id": "arn:aws:s3:::boeket-prd", - "Partition": "aws", - "Region": "eu-west-1", - "Tags": { - "ManagedBy": "Terraform" - }, - "Details": { - "AwsS3Bucket": { - "OwnerId": "2240facc0082445db039bc31ec992cbbcbdc1f0f703d4f3dac0f91273a05d33f", - "CreatedAt": "2024-07-24T19:02:52.000Z", - "Name": "boeket-prd" - } - } - } - ], - "Compliance": { - "Status": "FAILED", - "RelatedRequirements": [ - "NIST.800-53.r5 AC-2(4)", - "NIST.800-53.r5 AC-4(26)", - "NIST.800-53.r5 AC-6(9)", - "NIST.800-53.r5 AU-10", - "NIST.800-53.r5 AU-12", - "NIST.800-53.r5 AU-2", - "NIST.800-53.r5 AU-3", - "NIST.800-53.r5 AU-6(3)", - "NIST.800-53.r5 AU-6(4)", - "NIST.800-53.r5 CA-7", - "NIST.800-53.r5 SC-7(9)", - "NIST.800-53.r5 SI-3(8)", - "NIST.800-53.r5 SI-4(20)", - "NIST.800-53.r5 SI-7(8)" - ], - "SecurityControlId": "S3.9", - "AssociatedStandards": [ - { - "StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0" - }, - { - "StandardsId": "standards/nist-800-53/v/5.0.0" - } - ] - }, - "WorkflowState": "NEW", - "Workflow": { - "Status": "NEW" - }, - "RecordState": "ACTIVE", - "FindingProviderFields": { - "Severity": { - "Label": "MEDIUM", - "Original": "MEDIUM" - }, - "Types": [ - "Software and Configuration Checks/Industry and Regulatory Standards" - ] - }, - "ProcessedAt": "2024-07-24T19:05:18.542Z", - "AwsAccountName": "watcher" -} \ No newline at end of file diff --git a/tests/fixtures/findings/gui_legacy.json b/tests/fixtures/findings/gui_legacy.json deleted file mode 100644 index a59e9cd..0000000 --- a/tests/fixtures/findings/gui_legacy.json +++ /dev/null @@ -1,134 +0,0 @@ -{ - "SchemaVersion": "2018-10-08", - "Id": "arn:aws:securityhub:eu-west-1:222555888333:subscription/aws-foundational-security-best-practices/v/1.0.0/GuardDuty.5/finding/fa64b182-1f5d-4c13-828a-50af12336fd0", - "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub", - "ProductName": "Security Hub", - "CompanyName": "AWS", - "Region": "eu-west-1", - "GeneratorId": "aws-foundational-security-best-practices/v/1.0.0/GuardDuty.5", - "AwsAccountId": "222555888333", - "Types": [ - "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices" - ], - "FirstObservedAt": "2024-07-13T00:32:44.734Z", - "LastObservedAt": "2024-07-17T12:36:15.611Z", - "CreatedAt": "2024-07-13T00:32:44.734Z", - "UpdatedAt": "2024-07-17T12:35:59.820Z", - "Severity": { - "Product": 70, - "Label": "HIGH", - "Normalized": 70, - "Original": "HIGH" - }, - "Title": "GuardDuty.5 GuardDuty EKS Audit Log Monitoring should be enabled", - "Description": "This control checks whether GuardDuty EKS Audit Log Monitoring is enabled. The control fails if GuardDuty EKS Audit Log Monitoring isn't enabled.", - "Remediation": { - "Recommendation": { - "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", - "Url": "https://docs.aws.amazon.com/console/securityhub/GuardDuty.5/remediation" - } - }, - "ProductFields": { - "StandardsArn": "arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0", - "StandardsSubscriptionArn": "arn:aws:securityhub:eu-west-1:222555888333:subscription/aws-foundational-security-best-practices/v/1.0.0", - "ControlId": "GuardDuty.5", - "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/GuardDuty.5/remediation", - "RelatedAWSResources:0/name": "securityhub-guardduty-eks-protection-audit-enabled-4ea31c89", - "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", - "StandardsControlArn": "arn:aws:securityhub:eu-west-1:222555888333:control/aws-foundational-security-best-practices/v/1.0.0/GuardDuty.5", - "aws/securityhub/ProductName": "Security Hub", - "aws/securityhub/CompanyName": "AWS", - "Resources:0/Id": "arn:aws:guardduty:eu-west-1:222555888333:detector/c350ca4fd7594d5fbda1f71ac6332dc8", - "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/securityhub/arn:aws:securityhub:eu-west-1:222555888333:subscription/aws-foundational-security-best-practices/v/1.0.0/GuardDuty.5/finding/fa64b182-1f5d-4c13-828a-50af12336fd0" - }, - "Resources": [ - { - "Type": "AwsGuardDutyDetector", - "Id": "arn:aws:guardduty:eu-west-1:222555888333:detector/c350ca4fd7594d5fbda1f71ac6332dc8", - "Partition": "aws", - "Region": "eu-west-1", - "Tags": { - "Environment": "staging", - "Env": "stg", - "Stack": "base" - }, - "Details": { - "AwsGuardDutyDetector": { - "DataSources": { - "Kubernetes": { - "AuditLogs": { - "Status": "DISABLED" - } - }, - "S3Logs": { - "Status": "ENABLED" - } - }, - "Features": [ - { - "Name": "CLOUD_TRAIL", - "Status": "ENABLED" - }, - { - "Name": "DNS_LOGS", - "Status": "ENABLED" - }, - { - "Name": "FLOW_LOGS", - "Status": "ENABLED" - }, - { - "Name": "S3_DATA_EVENTS", - "Status": "ENABLED" - }, - { - "Name": "EKS_AUDIT_LOGS", - "Status": "DISABLED" - }, - { - "Name": "EBS_MALWARE_PROTECTION", - "Status": "ENABLED" - }, - { - "Name": "RDS_LOGIN_EVENTS", - "Status": "ENABLED" - }, - { - "Name": "EKS_RUNTIME_MONITORING", - "Status": "DISABLED" - }, - { - "Name": "LAMBDA_NETWORK_LOGS", - "Status": "ENABLED" - }, - { - "Name": "RUNTIME_MONITORING", - "Status": "ENABLED" - } - ], - "FindingPublishingFrequency": "FIFTEEN_MINUTES", - "Status": "ENABLED" - } - } - } - ], - "Compliance": { - "Status": "FAILED" - }, - "WorkflowState": "NEW", - "Workflow": { - "Status": "NEW" - }, - "RecordState": "ACTIVE", - "FindingProviderFields": { - "Severity": { - "Label": "HIGH", - "Original": "HIGH" - }, - "Types": [ - "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices" - ] - }, - "ProcessedAt": "2024-07-17T12:36:18.763Z", - "AwsAccountName": "base-client" -} diff --git a/tests/fixtures/matching_findings.json b/tests/fixtures/matching_findings.json new file mode 100644 index 0000000..3bb6cea --- /dev/null +++ b/tests/fixtures/matching_findings.json @@ -0,0 +1,1385 @@ +[ + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.8/finding/1ed5c403-ee76-491a-8248-0a5258972d3e", + "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub", + "ProductName": "Security Hub", + "CompanyName": "AWS", + "Region": "eu-west-1", + "GeneratorId": "security-control/S3.8", + "AwsAccountId": "988763490897", + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "FirstObservedAt": "2024-07-24T19:02:49.891Z", + "LastObservedAt": "2024-07-24T19:05:20.291Z", + "CreatedAt": "2024-07-24T19:02:49.891Z", + "UpdatedAt": "2024-07-24T19:05:04.979Z", + "Severity": { + "Label": "HIGH", + "Normalized": 70, + "Original": "HIGH" + }, + "Title": "S3 general purpose buckets should block public access", + "Description": "This control checks whether an Amazon S3 general purpose bucket blocks public access at the bucket level. The control fails if any of the following settings are set to false: ignorePublicAcls, blockPublicPolicy, blockPublicAcls, restrictPublicBuckets.", + "Remediation": { + "Recommendation": { + "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "Url": "https://docs.aws.amazon.com/console/securityhub/S3.8/remediation" + } + }, + "ProductFields": { + "RelatedAWSResources:0/name": "securityhub-s3-bucket-level-public-access-prohibited-f646f60c", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/annotation": "PublicAccessBlockConfigurations are incorrect for block_public_acls: False ignore_public_acls: False block_public_policy: False restrict_public_buckets False", + "Resources:0/Id": "arn:aws:s3:::boeket-acc", + "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/securityhub/arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.8/finding/1ed5c403-ee76-491a-8248-0a5258972d3e" + }, + "Resources": [ + { + "Type": "AwsS3Bucket", + "Id": "arn:aws:s3:::boeket-acc", + "Partition": "aws", + "Region": "eu-west-1", + "Tags": { + "ManagedBy": "CFN" + }, + "Details": { + "AwsS3Bucket": { + "OwnerId": "2240facc0082445db039bc31ec992cbbcbdc1f0f703d4f3dac0f91273a05d33f", + "CreatedAt": "2024-07-24T19:02:06.000Z", + "Name": "boeket-acc" + } + } + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "CIS AWS Foundations Benchmark v1.4.0/2.1.5", + "CIS AWS Foundations Benchmark v3.0.0/2.1.4", + "NIST.800-53.r5 AC-21", + "NIST.800-53.r5 AC-3", + "NIST.800-53.r5 AC-3(7)", + "NIST.800-53.r5 AC-4", + "NIST.800-53.r5 AC-4(21)", + "NIST.800-53.r5 AC-6", + "NIST.800-53.r5 SC-7", + "NIST.800-53.r5 SC-7(11)", + "NIST.800-53.r5 SC-7(16)", + "NIST.800-53.r5 SC-7(20)", + "NIST.800-53.r5 SC-7(21)", + "NIST.800-53.r5 SC-7(3)", + "NIST.800-53.r5 SC-7(4)", + "NIST.800-53.r5 SC-7(9)" + ], + "SecurityControlId": "S3.8", + "AssociatedStandards": [ + { + "StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0" + }, + { + "StandardsId": "standards/cis-aws-foundations-benchmark/v/1.4.0" + }, + { + "StandardsId": "standards/cis-aws-foundations-benchmark/v/3.0.0" + }, + { + "StandardsId": "standards/nist-800-53/v/5.0.0" + } + ] + }, + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "FindingProviderFields": { + "Severity": { + "Label": "HIGH", + "Original": "HIGH" + }, + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "ProcessedAt": "2024-07-24T19:05:23.489Z", + "AwsAccountName": "watcher" + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.8/finding/09af4f16-0995-4b3f-802e-e8acc30a0977", + "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub", + "ProductName": "Security Hub", + "CompanyName": "AWS", + "Region": "eu-west-1", + "GeneratorId": "security-control/S3.8", + "AwsAccountId": "988763490897", + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "FirstObservedAt": "2024-07-24T19:02:49.890Z", + "LastObservedAt": "2024-07-24T19:07:20.369Z", + "CreatedAt": "2024-07-24T19:02:49.890Z", + "UpdatedAt": "2024-07-24T19:07:13.307Z", + "Severity": { + "Label": "HIGH", + "Normalized": 70, + "Original": "HIGH" + }, + "Title": "S3 general purpose buckets should block public access", + "Description": "This control checks whether an Amazon S3 general purpose bucket blocks public access at the bucket level. The control fails if any of the following settings are set to false: ignorePublicAcls, blockPublicPolicy, blockPublicAcls, restrictPublicBuckets.", + "Remediation": { + "Recommendation": { + "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "Url": "https://docs.aws.amazon.com/console/securityhub/S3.8/remediation" + } + }, + "ProductFields": { + "RelatedAWSResources:0/name": "securityhub-s3-bucket-level-public-access-prohibited-f646f60c", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/annotation": "PublicAccessBlockConfigurations are incorrect for block_public_acls: False ignore_public_acls: False block_public_policy: False restrict_public_buckets False", + "Resources:0/Id": "arn:aws:s3:::boeket-dev", + "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/securityhub/arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.8/finding/09af4f16-0995-4b3f-802e-e8acc30a0977" + }, + "Resources": [ + { + "Type": "AwsS3Bucket", + "Id": "arn:aws:s3:::boeket-dev", + "Partition": "aws", + "Region": "eu-west-1", + "Tags": { + "ManagedBy": "Pulumi", + "Terraform": "ManagedBy" + }, + "Details": { + "AwsS3Bucket": { + "OwnerId": "2240facc0082445db039bc31ec992cbbcbdc1f0f703d4f3dac0f91273a05d33f", + "CreatedAt": "2024-07-24T19:01:29.000Z", + "Name": "boeket-dev" + } + } + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "CIS AWS Foundations Benchmark v1.4.0/2.1.5", + "CIS AWS Foundations Benchmark v3.0.0/2.1.4", + "NIST.800-53.r5 AC-21", + "NIST.800-53.r5 AC-3", + "NIST.800-53.r5 AC-3(7)", + "NIST.800-53.r5 AC-4", + "NIST.800-53.r5 AC-4(21)", + "NIST.800-53.r5 AC-6", + "NIST.800-53.r5 SC-7", + "NIST.800-53.r5 SC-7(11)", + "NIST.800-53.r5 SC-7(16)", + "NIST.800-53.r5 SC-7(20)", + "NIST.800-53.r5 SC-7(21)", + "NIST.800-53.r5 SC-7(3)", + "NIST.800-53.r5 SC-7(4)", + "NIST.800-53.r5 SC-7(9)" + ], + "SecurityControlId": "S3.8", + "AssociatedStandards": [ + { + "StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0" + }, + { + "StandardsId": "standards/cis-aws-foundations-benchmark/v/1.4.0" + }, + { + "StandardsId": "standards/cis-aws-foundations-benchmark/v/3.0.0" + }, + { + "StandardsId": "standards/nist-800-53/v/5.0.0" + } + ] + }, + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "FindingProviderFields": { + "Severity": { + "Label": "HIGH", + "Original": "HIGH" + }, + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "ProcessedAt": "2024-07-24T19:07:23.491Z", + "AwsAccountName": "watcher" + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.8/finding/bedcf351-f579-4787-b9e1-04d5b68142cf", + "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub", + "ProductName": "Security Hub", + "CompanyName": "AWS", + "Region": "eu-west-1", + "GeneratorId": "security-control/S3.8", + "AwsAccountId": "988763490897", + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "FirstObservedAt": "2024-07-24T19:05:04.979Z", + "LastObservedAt": "2024-07-24T19:05:07.596Z", + "CreatedAt": "2024-07-24T19:05:04.979Z", + "UpdatedAt": "2024-07-24T19:05:04.979Z", + "Severity": { + "Label": "HIGH", + "Normalized": 70, + "Original": "HIGH" + }, + "Title": "S3 general purpose buckets should block public access", + "Description": "This control checks whether an Amazon S3 general purpose bucket blocks public access at the bucket level. The control fails if any of the following settings are set to false: ignorePublicAcls, blockPublicPolicy, blockPublicAcls, restrictPublicBuckets.", + "Remediation": { + "Recommendation": { + "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "Url": "https://docs.aws.amazon.com/console/securityhub/S3.8/remediation" + } + }, + "ProductFields": { + "RelatedAWSResources:0/name": "securityhub-s3-bucket-level-public-access-prohibited-f646f60c", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/annotation": "PublicAccessBlockConfigurations are incorrect for block_public_acls: False ignore_public_acls: False block_public_policy: False restrict_public_buckets False", + "Resources:0/Id": "arn:aws:s3:::boeket-prd", + "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/securityhub/arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.8/finding/bedcf351-f579-4787-b9e1-04d5b68142cf" + }, + "Resources": [ + { + "Type": "AwsS3Bucket", + "Id": "arn:aws:s3:::boeket-prd", + "Partition": "aws", + "Region": "eu-west-1", + "Tags": { + "ManagedBy": "Terraform" + }, + "Details": { + "AwsS3Bucket": { + "OwnerId": "2240facc0082445db039bc31ec992cbbcbdc1f0f703d4f3dac0f91273a05d33f", + "CreatedAt": "2024-07-24T19:02:52.000Z", + "Name": "boeket-prd" + } + } + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "CIS AWS Foundations Benchmark v1.4.0/2.1.5", + "CIS AWS Foundations Benchmark v3.0.0/2.1.4", + "NIST.800-53.r5 AC-21", + "NIST.800-53.r5 AC-3", + "NIST.800-53.r5 AC-3(7)", + "NIST.800-53.r5 AC-4", + "NIST.800-53.r5 AC-4(21)", + "NIST.800-53.r5 AC-6", + "NIST.800-53.r5 SC-7", + "NIST.800-53.r5 SC-7(11)", + "NIST.800-53.r5 SC-7(16)", + "NIST.800-53.r5 SC-7(20)", + "NIST.800-53.r5 SC-7(21)", + "NIST.800-53.r5 SC-7(3)", + "NIST.800-53.r5 SC-7(4)", + "NIST.800-53.r5 SC-7(9)" + ], + "SecurityControlId": "S3.8", + "AssociatedStandards": [ + { + "StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0" + }, + { + "StandardsId": "standards/cis-aws-foundations-benchmark/v/1.4.0" + }, + { + "StandardsId": "standards/cis-aws-foundations-benchmark/v/3.0.0" + }, + { + "StandardsId": "standards/nist-800-53/v/5.0.0" + } + ] + }, + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "FindingProviderFields": { + "Severity": { + "Label": "HIGH", + "Original": "HIGH" + }, + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "ProcessedAt": "2024-07-24T19:05:09.226Z", + "AwsAccountName": "watcher" + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.9/finding/71a625e2-1a57-4fee-bc3f-22cf3f9f9e57", + "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub", + "ProductName": "Security Hub", + "CompanyName": "AWS", + "Region": "eu-west-1", + "GeneratorId": "security-control/S3.9", + "AwsAccountId": "988763490897", + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "FirstObservedAt": "2024-07-24T19:02:52.835Z", + "LastObservedAt": "2024-07-24T19:05:15.218Z", + "CreatedAt": "2024-07-24T19:02:52.835Z", + "UpdatedAt": "2024-07-24T19:05:08.371Z", + "Severity": { + "Label": "MEDIUM", + "Normalized": 40, + "Original": "MEDIUM" + }, + "Title": "S3 general purpose buckets should have server access logging enabled", + "Description": "This control checks whether server access logging is enabled for an Amazon S3 general purpose bucket. The control fails if server access logging isn't enabled. When logging is enabled, Amazon S3 delivers access logs for a source bucket to a chosen target bucket. The target bucket must be in the same AWS Region as the source bucket and must not have a default retention period configured. The target logging bucket does not need to have server access logging enabled, and you should suppress findings for this bucket.", + "Remediation": { + "Recommendation": { + "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "Url": "https://docs.aws.amazon.com/console/securityhub/S3.9/remediation" + } + }, + "ProductFields": { + "RelatedAWSResources:0/name": "securityhub-s3-bucket-logging-enabled-a2569319", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/CompanyName": "AWS", + "Resources:0/Id": "arn:aws:s3:::boeket-acc", + "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/securityhub/arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.9/finding/71a625e2-1a57-4fee-bc3f-22cf3f9f9e57" + }, + "Resources": [ + { + "Type": "AwsS3Bucket", + "Id": "arn:aws:s3:::boeket-acc", + "Partition": "aws", + "Region": "eu-west-1", + "Tags": { + "ManagedBy": "CFN" + }, + "Details": { + "AwsS3Bucket": { + "OwnerId": "2240facc0082445db039bc31ec992cbbcbdc1f0f703d4f3dac0f91273a05d33f", + "CreatedAt": "2024-07-24T19:02:06.000Z", + "Name": "boeket-acc" + } + } + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "NIST.800-53.r5 AC-2(4)", + "NIST.800-53.r5 AC-4(26)", + "NIST.800-53.r5 AC-6(9)", + "NIST.800-53.r5 AU-10", + "NIST.800-53.r5 AU-12", + "NIST.800-53.r5 AU-2", + "NIST.800-53.r5 AU-3", + "NIST.800-53.r5 AU-6(3)", + "NIST.800-53.r5 AU-6(4)", + "NIST.800-53.r5 CA-7", + "NIST.800-53.r5 SC-7(9)", + "NIST.800-53.r5 SI-3(8)", + "NIST.800-53.r5 SI-4(20)", + "NIST.800-53.r5 SI-7(8)" + ], + "SecurityControlId": "S3.9", + "AssociatedStandards": [ + { + "StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0" + }, + { + "StandardsId": "standards/nist-800-53/v/5.0.0" + } + ] + }, + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "FindingProviderFields": { + "Severity": { + "Label": "MEDIUM", + "Original": "MEDIUM" + }, + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "ProcessedAt": "2024-07-24T19:05:17.718Z", + "AwsAccountName": "watcher" + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.9/finding/180e73dc-a807-4ddd-a36a-14696c85ba9e", + "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub", + "ProductName": "Security Hub", + "CompanyName": "AWS", + "Region": "eu-west-1", + "GeneratorId": "security-control/S3.9", + "AwsAccountId": "988763490897", + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "FirstObservedAt": "2024-07-24T19:02:52.834Z", + "LastObservedAt": "2024-07-24T19:07:26.669Z", + "CreatedAt": "2024-07-24T19:02:52.834Z", + "UpdatedAt": "2024-07-24T19:07:18.543Z", + "Severity": { + "Label": "MEDIUM", + "Normalized": 40, + "Original": "MEDIUM" + }, + "Title": "S3 general purpose buckets should have server access logging enabled", + "Description": "This control checks whether server access logging is enabled for an Amazon S3 general purpose bucket. The control fails if server access logging isn't enabled. When logging is enabled, Amazon S3 delivers access logs for a source bucket to a chosen target bucket. The target bucket must be in the same AWS Region as the source bucket and must not have a default retention period configured. The target logging bucket does not need to have server access logging enabled, and you should suppress findings for this bucket.", + "Remediation": { + "Recommendation": { + "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "Url": "https://docs.aws.amazon.com/console/securityhub/S3.9/remediation" + } + }, + "ProductFields": { + "RelatedAWSResources:0/name": "securityhub-s3-bucket-logging-enabled-a2569319", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/CompanyName": "AWS", + "Resources:0/Id": "arn:aws:s3:::boeket-dev", + "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/securityhub/arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.9/finding/180e73dc-a807-4ddd-a36a-14696c85ba9e" + }, + "Resources": [ + { + "Type": "AwsS3Bucket", + "Id": "arn:aws:s3:::boeket-dev", + "Partition": "aws", + "Region": "eu-west-1", + "Tags": { + "ManagedBy": "Pulumi", + "Terraform": "ManagedBy" + }, + "Details": { + "AwsS3Bucket": { + "OwnerId": "2240facc0082445db039bc31ec992cbbcbdc1f0f703d4f3dac0f91273a05d33f", + "CreatedAt": "2024-07-24T19:01:29.000Z", + "Name": "boeket-dev" + } + } + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "NIST.800-53.r5 AC-2(4)", + "NIST.800-53.r5 AC-4(26)", + "NIST.800-53.r5 AC-6(9)", + "NIST.800-53.r5 AU-10", + "NIST.800-53.r5 AU-12", + "NIST.800-53.r5 AU-2", + "NIST.800-53.r5 AU-3", + "NIST.800-53.r5 AU-6(3)", + "NIST.800-53.r5 AU-6(4)", + "NIST.800-53.r5 CA-7", + "NIST.800-53.r5 SC-7(9)", + "NIST.800-53.r5 SI-3(8)", + "NIST.800-53.r5 SI-4(20)", + "NIST.800-53.r5 SI-7(8)" + ], + "SecurityControlId": "S3.9", + "AssociatedStandards": [ + { + "StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0" + }, + { + "StandardsId": "standards/nist-800-53/v/5.0.0" + } + ] + }, + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "FindingProviderFields": { + "Severity": { + "Label": "MEDIUM", + "Original": "MEDIUM" + }, + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "ProcessedAt": "2024-07-24T19:07:29.263Z", + "AwsAccountName": "watcher" + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.14/finding/e27c3ee5-4616-4d32-9eaf-adcf01921246", + "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub", + "ProductName": "Security Hub", + "CompanyName": "AWS", + "Region": "eu-west-1", + "GeneratorId": "security-control/S3.14", + "AwsAccountId": "988763490897", + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "FirstObservedAt": "2024-07-24T19:02:50.270Z", + "LastObservedAt": "2024-07-24T19:05:18.868Z", + "CreatedAt": "2024-07-24T19:02:50.270Z", + "UpdatedAt": "2024-07-24T19:05:05.304Z", + "Severity": { + "Label": "LOW", + "Normalized": 1, + "Original": "LOW" + }, + "Title": "S3 general purpose buckets should have versioning enabled", + "Description": "This control checks whether an Amazon S3 general purpose bucket has versioning enabled. The control fails if versioning is suspended for the bucket.", + "Remediation": { + "Recommendation": { + "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "Url": "https://docs.aws.amazon.com/console/securityhub/S3.14/remediation" + } + }, + "ProductFields": { + "RelatedAWSResources:0/name": "securityhub-s3-bucket-versioning-enabled-a376307d", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/CompanyName": "AWS", + "Resources:0/Id": "arn:aws:s3:::boeket-acc", + "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/securityhub/arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.14/finding/e27c3ee5-4616-4d32-9eaf-adcf01921246" + }, + "Resources": [ + { + "Type": "AwsS3Bucket", + "Id": "arn:aws:s3:::boeket-acc", + "Partition": "aws", + "Region": "eu-west-1", + "Tags": { + "ManagedBy": "CFN" + }, + "Details": { + "AwsS3Bucket": { + "OwnerId": "2240facc0082445db039bc31ec992cbbcbdc1f0f703d4f3dac0f91273a05d33f", + "CreatedAt": "2024-07-24T19:02:06.000Z", + "Name": "boeket-acc" + } + } + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "NIST.800-53.r5 AU-9(2)", + "NIST.800-53.r5 CP-10", + "NIST.800-53.r5 CP-6", + "NIST.800-53.r5 CP-6(1)", + "NIST.800-53.r5 CP-6(2)", + "NIST.800-53.r5 CP-9", + "NIST.800-53.r5 SC-5(2)", + "NIST.800-53.r5 SI-12", + "NIST.800-53.r5 SI-13(5)" + ], + "SecurityControlId": "S3.14", + "AssociatedStandards": [ + { + "StandardsId": "standards/nist-800-53/v/5.0.0" + } + ] + }, + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "FindingProviderFields": { + "Severity": { + "Label": "LOW", + "Original": "LOW" + }, + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "ProcessedAt": "2024-07-24T19:05:21.841Z", + "AwsAccountName": "watcher" + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.14/finding/4b0d331f-2396-4663-847b-344126c3e780", + "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub", + "ProductName": "Security Hub", + "CompanyName": "AWS", + "Region": "eu-west-1", + "GeneratorId": "security-control/S3.14", + "AwsAccountId": "988763490897", + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "FirstObservedAt": "2024-07-24T19:02:50.271Z", + "LastObservedAt": "2024-07-24T19:07:24.672Z", + "CreatedAt": "2024-07-24T19:02:50.271Z", + "UpdatedAt": "2024-07-24T19:07:14.170Z", + "Severity": { + "Label": "LOW", + "Normalized": 1, + "Original": "LOW" + }, + "Title": "S3 general purpose buckets should have versioning enabled", + "Description": "This control checks whether an Amazon S3 general purpose bucket has versioning enabled. The control fails if versioning is suspended for the bucket.", + "Remediation": { + "Recommendation": { + "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "Url": "https://docs.aws.amazon.com/console/securityhub/S3.14/remediation" + } + }, + "ProductFields": { + "RelatedAWSResources:0/name": "securityhub-s3-bucket-versioning-enabled-a376307d", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/CompanyName": "AWS", + "Resources:0/Id": "arn:aws:s3:::boeket-dev", + "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/securityhub/arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.14/finding/4b0d331f-2396-4663-847b-344126c3e780" + }, + "Resources": [ + { + "Type": "AwsS3Bucket", + "Id": "arn:aws:s3:::boeket-dev", + "Partition": "aws", + "Region": "eu-west-1", + "Tags": { + "ManagedBy": "Pulumi", + "Terraform": "ManagedBy" + }, + "Details": { + "AwsS3Bucket": { + "OwnerId": "2240facc0082445db039bc31ec992cbbcbdc1f0f703d4f3dac0f91273a05d33f", + "CreatedAt": "2024-07-24T19:01:29.000Z", + "Name": "boeket-dev" + } + } + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "NIST.800-53.r5 AU-9(2)", + "NIST.800-53.r5 CP-10", + "NIST.800-53.r5 CP-6", + "NIST.800-53.r5 CP-6(1)", + "NIST.800-53.r5 CP-6(2)", + "NIST.800-53.r5 CP-9", + "NIST.800-53.r5 SC-5(2)", + "NIST.800-53.r5 SI-12", + "NIST.800-53.r5 SI-13(5)" + ], + "SecurityControlId": "S3.14", + "AssociatedStandards": [ + { + "StandardsId": "standards/nist-800-53/v/5.0.0" + } + ] + }, + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "FindingProviderFields": { + "Severity": { + "Label": "LOW", + "Original": "LOW" + }, + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "ProcessedAt": "2024-07-24T19:07:28.104Z", + "AwsAccountName": "watcher" + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.14/finding/db101219-4b19-4176-a660-490d30b7945d", + "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub", + "ProductName": "Security Hub", + "CompanyName": "AWS", + "Region": "eu-west-1", + "GeneratorId": "security-control/S3.14", + "AwsAccountId": "988763490897", + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "FirstObservedAt": "2024-07-24T19:05:05.304Z", + "LastObservedAt": "2024-07-24T19:05:20.186Z", + "CreatedAt": "2024-07-24T19:05:05.304Z", + "UpdatedAt": "2024-07-24T19:05:05.304Z", + "Severity": { + "Label": "LOW", + "Normalized": 1, + "Original": "LOW" + }, + "Title": "S3 general purpose buckets should have versioning enabled", + "Description": "This control checks whether an Amazon S3 general purpose bucket has versioning enabled. The control fails if versioning is suspended for the bucket.", + "Remediation": { + "Recommendation": { + "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "Url": "https://docs.aws.amazon.com/console/securityhub/S3.14/remediation" + } + }, + "ProductFields": { + "RelatedAWSResources:0/name": "securityhub-s3-bucket-versioning-enabled-a376307d", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/CompanyName": "AWS", + "Resources:0/Id": "arn:aws:s3:::boeket-prd", + "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/securityhub/arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.14/finding/db101219-4b19-4176-a660-490d30b7945d" + }, + "Resources": [ + { + "Type": "AwsS3Bucket", + "Id": "arn:aws:s3:::boeket-prd", + "Partition": "aws", + "Region": "eu-west-1", + "Tags": { + "ManagedBy": "Terraform" + }, + "Details": { + "AwsS3Bucket": { + "OwnerId": "2240facc0082445db039bc31ec992cbbcbdc1f0f703d4f3dac0f91273a05d33f", + "CreatedAt": "2024-07-24T19:02:52.000Z", + "Name": "boeket-prd" + } + } + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "NIST.800-53.r5 AU-9(2)", + "NIST.800-53.r5 CP-10", + "NIST.800-53.r5 CP-6", + "NIST.800-53.r5 CP-6(1)", + "NIST.800-53.r5 CP-6(2)", + "NIST.800-53.r5 CP-9", + "NIST.800-53.r5 SC-5(2)", + "NIST.800-53.r5 SI-12", + "NIST.800-53.r5 SI-13(5)" + ], + "SecurityControlId": "S3.14", + "AssociatedStandards": [ + { + "StandardsId": "standards/nist-800-53/v/5.0.0" + } + ] + }, + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "FindingProviderFields": { + "Severity": { + "Label": "LOW", + "Original": "LOW" + }, + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "ProcessedAt": "2024-07-24T19:05:23.098Z", + "AwsAccountName": "watcher" + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.20/finding/2e14352c-2bb5-4dfc-88af-71467172d92f", + "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub", + "ProductName": "Security Hub", + "CompanyName": "AWS", + "Region": "eu-west-1", + "GeneratorId": "security-control/S3.20", + "AwsAccountId": "988763490897", + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "FirstObservedAt": "2024-07-24T19:02:51.161Z", + "LastObservedAt": "2024-07-24T19:05:23.043Z", + "CreatedAt": "2024-07-24T19:02:51.161Z", + "UpdatedAt": "2024-07-24T19:05:07.028Z", + "Severity": { + "Label": "LOW", + "Normalized": 1, + "Original": "LOW" + }, + "Title": "S3 general purpose buckets should have MFA delete enabled", + "Description": "This control checks if multi-factor authentication (MFA) delete is enabled on an Amazon S3 general purpose bucket. The control fails if MFA delete isn't enabled on the bucket.", + "Remediation": { + "Recommendation": { + "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "Url": "https://docs.aws.amazon.com/console/securityhub/S3.20/remediation" + } + }, + "ProductFields": { + "RelatedAWSResources:0/name": "securityhub-s3-bucket-mfa-delete-enabled-ecb9e4b4", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/CompanyName": "AWS", + "Resources:0/Id": "arn:aws:s3:::boeket-acc", + "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/securityhub/arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.20/finding/2e14352c-2bb5-4dfc-88af-71467172d92f" + }, + "Resources": [ + { + "Type": "AwsS3Bucket", + "Id": "arn:aws:s3:::boeket-acc", + "Partition": "aws", + "Region": "eu-west-1", + "Tags": { + "ManagedBy": "CFN" + }, + "Details": { + "AwsS3Bucket": { + "OwnerId": "2240facc0082445db039bc31ec992cbbcbdc1f0f703d4f3dac0f91273a05d33f", + "CreatedAt": "2024-07-24T19:02:06.000Z", + "Name": "boeket-acc" + } + } + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "CIS AWS Foundations Benchmark v1.4.0/2.1.3", + "CIS AWS Foundations Benchmark v3.0.0/2.1.2", + "NIST.800-53.r5 CA-9(1)", + "NIST.800-53.r5 CM-2", + "NIST.800-53.r5 CM-2(2)", + "NIST.800-53.r5 CM-3", + "NIST.800-53.r5 SC-5(2)" + ], + "SecurityControlId": "S3.20", + "AssociatedStandards": [ + { + "StandardsId": "standards/cis-aws-foundations-benchmark/v/1.4.0" + }, + { + "StandardsId": "standards/cis-aws-foundations-benchmark/v/3.0.0" + }, + { + "StandardsId": "standards/nist-800-53/v/5.0.0" + } + ] + }, + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "FindingProviderFields": { + "Severity": { + "Label": "LOW", + "Original": "LOW" + }, + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "ProcessedAt": "2024-07-24T19:05:26.294Z", + "AwsAccountName": "watcher" + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.20/finding/45fee04a-22ed-4242-a316-ebaecd5a1b36", + "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub", + "ProductName": "Security Hub", + "CompanyName": "AWS", + "Region": "eu-west-1", + "GeneratorId": "security-control/S3.20", + "AwsAccountId": "988763490897", + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "FirstObservedAt": "2024-07-24T19:02:51.160Z", + "LastObservedAt": "2024-07-24T19:07:23.639Z", + "CreatedAt": "2024-07-24T19:02:51.160Z", + "UpdatedAt": "2024-07-24T19:07:15.150Z", + "Severity": { + "Label": "LOW", + "Normalized": 1, + "Original": "LOW" + }, + "Title": "S3 general purpose buckets should have MFA delete enabled", + "Description": "This control checks if multi-factor authentication (MFA) delete is enabled on an Amazon S3 general purpose bucket. The control fails if MFA delete isn't enabled on the bucket.", + "Remediation": { + "Recommendation": { + "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "Url": "https://docs.aws.amazon.com/console/securityhub/S3.20/remediation" + } + }, + "ProductFields": { + "RelatedAWSResources:0/name": "securityhub-s3-bucket-mfa-delete-enabled-ecb9e4b4", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/CompanyName": "AWS", + "Resources:0/Id": "arn:aws:s3:::boeket-dev", + "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/securityhub/arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.20/finding/45fee04a-22ed-4242-a316-ebaecd5a1b36" + }, + "Resources": [ + { + "Type": "AwsS3Bucket", + "Id": "arn:aws:s3:::boeket-dev", + "Partition": "aws", + "Region": "eu-west-1", + "Tags": { + "ManagedBy": "Pulumi", + "Terraform": "ManagedBy" + }, + "Details": { + "AwsS3Bucket": { + "OwnerId": "2240facc0082445db039bc31ec992cbbcbdc1f0f703d4f3dac0f91273a05d33f", + "CreatedAt": "2024-07-24T19:01:29.000Z", + "Name": "boeket-dev" + } + } + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "CIS AWS Foundations Benchmark v1.4.0/2.1.3", + "CIS AWS Foundations Benchmark v3.0.0/2.1.2", + "NIST.800-53.r5 CA-9(1)", + "NIST.800-53.r5 CM-2", + "NIST.800-53.r5 CM-2(2)", + "NIST.800-53.r5 CM-3", + "NIST.800-53.r5 SC-5(2)" + ], + "SecurityControlId": "S3.20", + "AssociatedStandards": [ + { + "StandardsId": "standards/cis-aws-foundations-benchmark/v/1.4.0" + }, + { + "StandardsId": "standards/cis-aws-foundations-benchmark/v/3.0.0" + }, + { + "StandardsId": "standards/nist-800-53/v/5.0.0" + } + ] + }, + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "FindingProviderFields": { + "Severity": { + "Label": "LOW", + "Original": "LOW" + }, + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "ProcessedAt": "2024-07-24T19:07:26.943Z", + "AwsAccountName": "watcher" + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.20/finding/c9403a5e-0f03-45f6-a85e-754f043a6b10", + "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub", + "ProductName": "Security Hub", + "CompanyName": "AWS", + "Region": "eu-west-1", + "GeneratorId": "security-control/S3.20", + "AwsAccountId": "988763490897", + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "FirstObservedAt": "2024-07-24T19:04:59.056Z", + "LastObservedAt": "2024-07-24T19:05:08.787Z", + "CreatedAt": "2024-07-24T19:04:59.056Z", + "UpdatedAt": "2024-07-24T19:04:59.056Z", + "Severity": { + "Label": "LOW", + "Normalized": 1, + "Original": "LOW" + }, + "Title": "S3 general purpose buckets should have MFA delete enabled", + "Description": "This control checks if multi-factor authentication (MFA) delete is enabled on an Amazon S3 general purpose bucket. The control fails if MFA delete isn't enabled on the bucket.", + "Remediation": { + "Recommendation": { + "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "Url": "https://docs.aws.amazon.com/console/securityhub/S3.20/remediation" + } + }, + "ProductFields": { + "RelatedAWSResources:0/name": "securityhub-s3-bucket-mfa-delete-enabled-ecb9e4b4", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/CompanyName": "AWS", + "Resources:0/Id": "arn:aws:s3:::boeket-prd", + "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/securityhub/arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.20/finding/c9403a5e-0f03-45f6-a85e-754f043a6b10" + }, + "Resources": [ + { + "Type": "AwsS3Bucket", + "Id": "arn:aws:s3:::boeket-prd", + "Partition": "aws", + "Region": "eu-west-1", + "Tags": { + "ManagedBy": "Terraform" + }, + "Details": { + "AwsS3Bucket": { + "OwnerId": "2240facc0082445db039bc31ec992cbbcbdc1f0f703d4f3dac0f91273a05d33f", + "CreatedAt": "2024-07-24T19:02:52.000Z", + "Name": "boeket-prd" + } + } + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "CIS AWS Foundations Benchmark v1.4.0/2.1.3", + "CIS AWS Foundations Benchmark v3.0.0/2.1.2", + "NIST.800-53.r5 CA-9(1)", + "NIST.800-53.r5 CM-2", + "NIST.800-53.r5 CM-2(2)", + "NIST.800-53.r5 CM-3", + "NIST.800-53.r5 SC-5(2)" + ], + "SecurityControlId": "S3.20", + "AssociatedStandards": [ + { + "StandardsId": "standards/cis-aws-foundations-benchmark/v/1.4.0" + }, + { + "StandardsId": "standards/cis-aws-foundations-benchmark/v/3.0.0" + }, + { + "StandardsId": "standards/nist-800-53/v/5.0.0" + } + ] + }, + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "FindingProviderFields": { + "Severity": { + "Label": "LOW", + "Original": "LOW" + }, + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "ProcessedAt": "2024-07-24T19:05:12.057Z", + "AwsAccountName": "watcher" + }, + { + "AwsAccountId": "012345678912", + "AwsAccountName": "account", + "CompanyName": "Amazon", + "CreatedAt": "2024-11-11T14:40:00.016Z", + "Description": "A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.", + "FindingProviderFields": { + "Types": [ + "Software and Configuration Checks/Vulnerabilities/CVE" + ], + "Severity": { + "Normalized": 70, + "Label": "HIGH" + } + }, + "FirstObservedAt": "2024-11-11T14:40:00.016Z", + "GeneratorId": "AWSInspector", + "Id": "arn:aws:inspector2:eu-west-1:012345678912:finding/ff4ebfb9d83b0ee89c7140b30eed5ef9", + "LastObservedAt": "2024-11-11T14:40:00.016Z", + "ProcessedAt": "2024-11-11T14:45:08.567Z", + "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/inspector", + "ProductFields": { + "aws/inspector/ProductVersion": "2", + "aws/inspector/FindingStatus": "CLOSED", + "aws/inspector/inspectorScore": "7.5", + "aws/inspector/instanceId": "i-01e8db61387e018b4", + "aws/inspector/resources/1/resourceDetails/awsEc2InstanceDetails/platform": "UBUNTU_22_04", + "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/inspector/arn:aws:inspector2:eu-west-1:012345678912:finding/ff4ebfb9d83b0ee89c7140b30eed5ef9", + "aws/securityhub/ProductName": "Inspector", + "aws/securityhub/CompanyName": "Amazon" + }, + "ProductName": "Inspector", + "RecordState": "ARCHIVED", + "Region": "eu-west-1", + "Remediation": { + "Recommendation": { + "Text": "Remediation is available. Please refer to the Fixed version in the vulnerability details section above.For detailed remediation guidance for each of the affected packages, refer to the vulnerabilities section of the detailed finding JSON." + } + }, + "Resources": [ + { + "Details": { + "AwsEc2Instance": { + "Type": "t3.large", + "VpcId": "vpc-0d165124e6f1211e6", + "ImageId": "ami-030c1a56dd9a0ccd8", + "IpV4Addresses": [ + "192.168.0.74" + ], + "SubnetId": "subnet-062ae210766aa9614", + "LaunchedAt": "2024-11-11T14:38:42.000Z", + "IamInstanceProfileArn": "arn:aws:iam::012345678912:instance-profile/example/example-profile" + } + }, + "Id": "arn:aws:ec2:eu-west-1:012345678912:instance/i-01e8db61387e018b4", + "Partition": "aws", + "Region": "eu-west-1", + "Tags": { + "aws:ec2:fleet-id": "fleet-28b70307-1da4-e616-0cb8-0d20555fe75c", + "ghr:environment": "example", + "aws:ec2launchtemplate:version": "9", + "aws:ec2launchtemplate:id": "lt-0c064043433a6dcfe", + "Name": "example-action-runner" + }, + "Type": "AwsEc2Instance" + } + ], + "SchemaVersion": "2018-10-08", + "Severity": { + "Label": "HIGH", + "Normalized": 70 + }, + "Title": "CVE-2021-3737 - python3.10, python3.10-minimal", + "Types": [ + "Software and Configuration Checks/Vulnerabilities/CVE" + ], + "UpdatedAt": "2024-11-11T14:44:51.175Z", + "Vulnerabilities": [ + { + "Cvss": [ + { + "BaseScore": 7.5, + "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Source": "UBUNTU_CVE", + "Version": "3.1" + }, + { + "BaseScore": 7.5, + "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Source": "NVD", + "Version": "3.1" + }, + { + "BaseScore": 7.5, + "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Source": "UBUNTU_CVE", + "Version": "3.1" + } + ], + "EpssScore": 0.01559, + "ExploitAvailable": "NO", + "FixAvailable": "YES", + "Id": "CVE-2021-3737", + "ReferenceUrls": [ + "https://ubuntu.com/security/notices/USN-5083-1", + "https://ubuntu.com/security/notices/USN-5201-1", + "https://ubuntu.com/security/notices/USN-5200-1", + "https://ubuntu.com/security/notices/USN-6891-1", + "https://bugs.python.org/issue44022", + "https://www.cve.org/CVERecord?id=CVE-2021-3737", + "https://ubuntu.com/security/notices/USN-5199-1" + ], + "RelatedVulnerabilities": [ + "USN-5200-1", + "USN-5201-1", + "USN-5083-1", + "USN-6891-1", + "USN-5199-1" + ], + "Vendor": { + "VendorCreatedAt": "2022-03-04T19:15:00.000Z", + "VendorSeverity": "medium", + "Url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-3737.html", + "Name": "UBUNTU_CVE" + }, + "VulnerablePackages": [ + { + "Architecture": "X86_64", + "PackageManager": "OS", + "Version": "3.10.6", + "Epoch": "0", + "FixedInVersion": "0:3.10.12-1~22.04.4", + "Remediation": "apt-get update && apt-get upgrade", + "Release": "1~22.04.2ubuntu1.1", + "Name": "python3.10" + }, + { + "Architecture": "X86_64", + "PackageManager": "OS", + "Version": "3.10.6", + "Epoch": "0", + "FixedInVersion": "0:3.10.12-1~22.04.4", + "Remediation": "apt-get update && apt-get upgrade", + "Release": "1~22.04.2ubuntu1.1", + "Name": "python3.10-minimal" + } + ] + } + ], + "Workflow": { + "Status": "NEW" + }, + "WorkflowState": "NEW" + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:securityhub:eu-west-1:222555888333:subscription/aws-foundational-security-best-practices/v/1.0.0/GuardDuty.5/finding/fa64b182-1f5d-4c13-828a-50af12336fd0", + "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub", + "ProductName": "Security Hub", + "CompanyName": "AWS", + "Region": "eu-west-1", + "GeneratorId": "aws-foundational-security-best-practices/v/1.0.0/GuardDuty.5", + "AwsAccountId": "222555888333", + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices" + ], + "FirstObservedAt": "2024-07-13T00:32:44.734Z", + "LastObservedAt": "2024-07-17T12:36:15.611Z", + "CreatedAt": "2024-07-13T00:32:44.734Z", + "UpdatedAt": "2024-07-17T12:35:59.820Z", + "Severity": { + "Product": 70, + "Label": "HIGH", + "Normalized": 70, + "Original": "HIGH" + }, + "Title": "GuardDuty.5 GuardDuty EKS Audit Log Monitoring should be enabled", + "Description": "This control checks whether GuardDuty EKS Audit Log Monitoring is enabled. The control fails if GuardDuty EKS Audit Log Monitoring isn't enabled.", + "Remediation": { + "Recommendation": { + "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "Url": "https://docs.aws.amazon.com/console/securityhub/GuardDuty.5/remediation" + } + }, + "ProductFields": { + "StandardsArn": "arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0", + "StandardsSubscriptionArn": "arn:aws:securityhub:eu-west-1:222555888333:subscription/aws-foundational-security-best-practices/v/1.0.0", + "ControlId": "GuardDuty.5", + "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/GuardDuty.5/remediation", + "RelatedAWSResources:0/name": "securityhub-guardduty-eks-protection-audit-enabled-4ea31c89", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "StandardsControlArn": "arn:aws:securityhub:eu-west-1:222555888333:control/aws-foundational-security-best-practices/v/1.0.0/GuardDuty.5", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/CompanyName": "AWS", + "Resources:0/Id": "arn:aws:guardduty:eu-west-1:222555888333:detector/c350ca4fd7594d5fbda1f71ac6332dc8", + "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/securityhub/arn:aws:securityhub:eu-west-1:222555888333:subscription/aws-foundational-security-best-practices/v/1.0.0/GuardDuty.5/finding/fa64b182-1f5d-4c13-828a-50af12336fd0" + }, + "Resources": [ + { + "Type": "AwsGuardDutyDetector", + "Id": "arn:aws:guardduty:eu-west-1:222555888333:detector/c350ca4fd7594d5fbda1f71ac6332dc8", + "Partition": "aws", + "Region": "eu-west-1", + "Tags": { + "Environment": "staging", + "Env": "stg", + "Stack": "base" + }, + "Details": { + "AwsGuardDutyDetector": { + "DataSources": { + "Kubernetes": { + "AuditLogs": { + "Status": "DISABLED" + } + }, + "S3Logs": { + "Status": "ENABLED" + } + }, + "Features": [ + { + "Name": "CLOUD_TRAIL", + "Status": "ENABLED" + }, + { + "Name": "DNS_LOGS", + "Status": "ENABLED" + }, + { + "Name": "FLOW_LOGS", + "Status": "ENABLED" + }, + { + "Name": "S3_DATA_EVENTS", + "Status": "ENABLED" + }, + { + "Name": "EKS_AUDIT_LOGS", + "Status": "DISABLED" + }, + { + "Name": "EBS_MALWARE_PROTECTION", + "Status": "ENABLED" + }, + { + "Name": "RDS_LOGIN_EVENTS", + "Status": "ENABLED" + }, + { + "Name": "EKS_RUNTIME_MONITORING", + "Status": "DISABLED" + }, + { + "Name": "LAMBDA_NETWORK_LOGS", + "Status": "ENABLED" + }, + { + "Name": "RUNTIME_MONITORING", + "Status": "ENABLED" + } + ], + "FindingPublishingFrequency": "FIFTEEN_MINUTES", + "Status": "ENABLED" + } + } + } + ], + "Compliance": { + "Status": "FAILED" + }, + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "FindingProviderFields": { + "Severity": { + "Label": "HIGH", + "Original": "HIGH" + }, + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices" + ] + }, + "ProcessedAt": "2024-07-17T12:36:18.763Z", + "AwsAccountName": "base-client" + } +] diff --git a/tests/fixtures/non_matching_findings.json b/tests/fixtures/non_matching_findings.json new file mode 100644 index 0000000..2e1d78d --- /dev/null +++ b/tests/fixtures/non_matching_findings.json @@ -0,0 +1,433 @@ +[ + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:securityhub:eu-west-1:1234567890:security-control/GuardDuty.1/finding/bbfe351f-dc6b-4ea3-9ece-08934a88798d", + "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub", + "ProductName": "Security Hub", + "CompanyName": "AWS", + "Region": "eu-west-1", + "GeneratorId": "security-control/GuardDuty.1", + "AwsAccountId": "1234567890", + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "FirstObservedAt": "2023-11-21T08:22:16.054Z", + "LastObservedAt": "2024-06-24T09:00:51.562Z", + "CreatedAt": "2023-11-21T08:22:16.054Z", + "UpdatedAt": "2024-06-24T09:00:45.686Z", + "Severity": { + "Label": "HIGH", + "Normalized": 70, + "Original": "HIGH" + }, + "Title": "GuardDuty should be enabled", + "Description": "This AWS control checks whether Amazon GuardDuty is enabled in your AWS account and region.", + "Remediation": { + "Recommendation": { + "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "Url": "https://docs.aws.amazon.com/console/securityhub/GuardDuty.1/remediation" + } + }, + "ProductFields": { + "RelatedAWSResources:0/name": "securityhub-guardduty-enabled-centralized-c07f55ef", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/annotation": "Amazon GuardDuty is not configured.", + "Resources:0/Id": "arn:aws:iam::1234567890:root", + "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/securityhub/arn:aws:securityhub:eu-west-1:1234567890:security-control/GuardDuty.1/finding/bbfe351f-dc6b-4ea3-9ece-08934a88798d" + }, + "Resources": [ + { + "Type": "AwsAccount", + "Id": "AWS::::Account:1234567890", + "Partition": "aws", + "Region": "eu-west-1" + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "PCI DSS v3.2.1/11.4" + ], + "SecurityControlId": "GuardDuty.1", + "AssociatedStandards": [ + { + "StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0" + }, + { + "StandardsId": "standards/pci-dss/v/3.2.1" + } + ] + }, + "WorkflowState": "NEW", + "Workflow": { + "Status": "SUPPRESSED" + }, + "RecordState": "ACTIVE", + "Note": { + "Text": "Maybe later", + "UpdatedBy": "FindingsManager", + "UpdatedAt": "2024-06-24T12:45:06.677Z" + }, + "FindingProviderFields": { + "Severity": { + "Label": "HIGH", + "Original": "HIGH" + }, + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "ProcessedAt": "2024-06-24T12:45:06.702Z", + "AwsAccountName": "account1" + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:securityhub:eu-west-1:2345678901:security-control/GuardDuty.1/finding/a32acb1c-8a92-4122-b32a-5b35e71d0a6e", + "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub", + "ProductName": "Security Hub", + "CompanyName": "AWS", + "Region": "eu-west-1", + "GeneratorId": "security-control/GuardDuty.1", + "AwsAccountId": "2345678901", + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "FirstObservedAt": "2023-11-21T08:43:17.051Z", + "LastObservedAt": "2024-06-24T08:27:57.806Z", + "CreatedAt": "2023-11-21T08:43:17.051Z", + "UpdatedAt": "2024-06-24T08:27:43.972Z", + "Severity": { + "Label": "HIGH", + "Normalized": 70, + "Original": "HIGH" + }, + "Title": "GuardDuty should be enabled", + "Description": "This AWS control checks whether Amazon GuardDuty is enabled in your AWS account and region.", + "Remediation": { + "Recommendation": { + "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "Url": "https://docs.aws.amazon.com/console/securityhub/GuardDuty.1/remediation" + } + }, + "ProductFields": { + "RelatedAWSResources:0/name": "securityhub-guardduty-enabled-centralized-e9e5d5d1", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/annotation": "Amazon GuardDuty is not configured.", + "Resources:0/Id": "arn:aws:iam::2345678901:root", + "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/securityhub/arn:aws:securityhub:eu-west-1:2345678901:security-control/GuardDuty.1/finding/a32acb1c-8a92-4122-b32a-5b35e71d0a6e" + }, + "Resources": [ + { + "Type": "AwsAccount", + "Id": "AWS::::Account:2345678901", + "Partition": "aws", + "Region": "eu-west-1" + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "PCI DSS v3.2.1/11.4" + ], + "SecurityControlId": "GuardDuty.1", + "AssociatedStandards": [ + { + "StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0" + }, + { + "StandardsId": "standards/pci-dss/v/3.2.1" + } + ] + }, + "WorkflowState": "NEW", + "Workflow": { + "Status": "SUPPRESSED" + }, + "RecordState": "ACTIVE", + "Note": { + "Text": "Maybe later", + "UpdatedBy": "FindingsManager", + "UpdatedAt": "2024-06-24T12:45:06.677Z" + }, + "FindingProviderFields": { + "Severity": { + "Label": "HIGH", + "Original": "HIGH" + }, + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "ProcessedAt": "2024-06-24T12:45:06.706Z", + "AwsAccountName": "account2" + }, + { + "AwsAccountId": "012345678912", + "AwsAccountName": "account", + "CompanyName": "Amazon", + "CreatedAt": "2024-11-11T14:40:00.016Z", + "Description": "A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.", + "FindingProviderFields": { + "Types": [ + "Software and Configuration Checks/Vulnerabilities/CVE" + ], + "Severity": { + "Normalized": 70, + "Label": "HIGH" + } + }, + "FirstObservedAt": "2024-11-11T14:40:00.016Z", + "GeneratorId": "AWSInspector", + "Id": "arn:aws:inspector2:eu-west-1:012345678912:finding/m58hv3b9d83b0ee89c7140b30eed55kv", + "LastObservedAt": "2024-11-11T14:40:00.016Z", + "ProcessedAt": "2024-11-11T14:45:08.567Z", + "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/inspector", + "ProductFields": { + "aws/inspector/ProductVersion": "2", + "aws/inspector/FindingStatus": "CLOSED", + "aws/inspector/inspectorScore": "7.5", + "aws/inspector/instanceId": "i-01e8db61387e018b4", + "aws/inspector/resources/1/resourceDetails/awsEc2InstanceDetails/platform": "UBUNTU_22_04", + "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/inspector/arn:aws:inspector2:eu-west-1:012345678912:finding/ff4ebfb9d83b0ee89c7140b30eed5ef9", + "aws/securityhub/ProductName": "Inspector", + "aws/securityhub/CompanyName": "Amazon" + }, + "ProductName": "Inspector", + "RecordState": "ARCHIVED", + "Region": "eu-west-1", + "Remediation": { + "Recommendation": { + "Text": "Remediation is available. Please refer to the Fixed version in the vulnerability details section above.For detailed remediation guidance for each of the affected packages, refer to the vulnerabilities section of the detailed finding JSON." + } + }, + "Resources": [ + { + "Details": { + "AwsLambdaFunction": { + "LastModified": "2024-11-18T15:44:49.000Z", + "Role": "arn:aws:iam::012345678912:role/MyLambdaRole", + "FunctionName": "my-lambda-function", + "Runtime": "PYTHON_3_9", + "Version": "$LATEST", + "VpcConfig": { + "VpcId": "vpc-0dc65cacb70bc5d71", + "SubnetIds": [ + "subnet-08946011afffcfa56" + ], + "SecurityGroupIds": [ + "sg-083a41c038a94aebc" + ] + }, + "PackageType": "ZIP", + "CodeSha256": "Nmr6MtHQ9qO0uD97mA/vAyfDh590xqy77R0141mmxbM=", + "Layers": [ + { + "Arn": "arn:aws:lambda:eu-west-1:012345678912:layer:my-layer:206" + } + ], + "Architectures": [ + "X86_64" + ] + } + }, + "Id": "arn:aws:lambda:eu-west-1:012345678912:function:my-lambda-function:$LATEST", + "Partition": "aws", + "Region": "eu-west-1", + "Tags": { + "FunctionName": "my-lambda-function" + }, + "Type": "AwsLambdaFunction" + } + ], + "SchemaVersion": "2018-10-08", + "Severity": { + "Label": "HIGH", + "Normalized": 70 + }, + "Title": "CVE-2021-3737 - python3.10, python3.10-minimal", + "Types": [ + "Software and Configuration Checks/Vulnerabilities/CVE" + ], + "UpdatedAt": "2024-11-11T14:44:51.175Z", + "Vulnerabilities": [ + { + "Cvss": [ + { + "BaseScore": 7.5, + "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Source": "UBUNTU_CVE", + "Version": "3.1" + }, + { + "BaseScore": 7.5, + "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Source": "NVD", + "Version": "3.1" + }, + { + "BaseScore": 7.5, + "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Source": "UBUNTU_CVE", + "Version": "3.1" + } + ], + "EpssScore": 0.01559, + "ExploitAvailable": "NO", + "FixAvailable": "YES", + "Id": "CVE-2021-3737", + "ReferenceUrls": [ + "https://ubuntu.com/security/notices/USN-5083-1", + "https://ubuntu.com/security/notices/USN-5201-1", + "https://ubuntu.com/security/notices/USN-5200-1", + "https://ubuntu.com/security/notices/USN-6891-1", + "https://bugs.python.org/issue44022", + "https://www.cve.org/CVERecord?id=CVE-2021-3737", + "https://ubuntu.com/security/notices/USN-5199-1" + ], + "RelatedVulnerabilities": [ + "USN-5200-1", + "USN-5201-1", + "USN-5083-1", + "USN-6891-1", + "USN-5199-1" + ], + "Vendor": { + "VendorCreatedAt": "2022-03-04T19:15:00.000Z", + "VendorSeverity": "medium", + "Url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-3737.html", + "Name": "UBUNTU_CVE" + }, + "VulnerablePackages": [ + { + "Architecture": "X86_64", + "PackageManager": "OS", + "Version": "3.10.6", + "Epoch": "0", + "FixedInVersion": "0:3.10.12-1~22.04.4", + "Remediation": "apt-get update && apt-get upgrade", + "Release": "1~22.04.2ubuntu1.1", + "Name": "python3.10" + }, + { + "Architecture": "X86_64", + "PackageManager": "OS", + "Version": "3.10.6", + "Epoch": "0", + "FixedInVersion": "0:3.10.12-1~22.04.4", + "Remediation": "apt-get update && apt-get upgrade", + "Release": "1~22.04.2ubuntu1.1", + "Name": "python3.10-minimal" + } + ] + } + ], + "Workflow": { + "Status": "NEW" + }, + "WorkflowState": "NEW" + }, + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.9/finding/bcf36529-ad44-4d0e-9e34-647920c266e1", + "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub", + "ProductName": "Security Hub", + "CompanyName": "AWS", + "Region": "eu-west-1", + "GeneratorId": "security-control/S3.9", + "AwsAccountId": "988763490897", + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "FirstObservedAt": "2024-07-24T19:05:01.147Z", + "LastObservedAt": "2024-07-24T19:05:15.610Z", + "CreatedAt": "2024-07-24T19:05:01.147Z", + "UpdatedAt": "2024-07-24T19:05:01.147Z", + "Severity": { + "Label": "MEDIUM", + "Normalized": 40, + "Original": "MEDIUM" + }, + "Title": "S3 general purpose buckets should have server access logging enabled", + "Description": "This control checks whether server access logging is enabled for an Amazon S3 general purpose bucket. The control fails if server access logging isn't enabled. When logging is enabled, Amazon S3 delivers access logs for a source bucket to a chosen target bucket. The target bucket must be in the same AWS Region as the source bucket and must not have a default retention period configured. The target logging bucket does not need to have server access logging enabled, and you should suppress findings for this bucket.", + "Remediation": { + "Recommendation": { + "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "Url": "https://docs.aws.amazon.com/console/securityhub/S3.9/remediation" + } + }, + "ProductFields": { + "RelatedAWSResources:0/name": "securityhub-s3-bucket-logging-enabled-a2569319", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/CompanyName": "AWS", + "Resources:0/Id": "arn:aws:s3:::boeket-prd", + "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-1::product/aws/securityhub/arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.9/finding/bcf36529-ad44-4d0e-9e34-647920c266e1" + }, + "Resources": [ + { + "Type": "AwsS3Bucket", + "Id": "arn:aws:s3:::boeket-prd", + "Partition": "aws", + "Region": "eu-west-1", + "Tags": { + "ManagedBy": "Terraform" + }, + "Details": { + "AwsS3Bucket": { + "OwnerId": "2240facc0082445db039bc31ec992cbbcbdc1f0f703d4f3dac0f91273a05d33f", + "CreatedAt": "2024-07-24T19:02:52.000Z", + "Name": "boeket-prd" + } + } + } + ], + "Compliance": { + "Status": "FAILED", + "RelatedRequirements": [ + "NIST.800-53.r5 AC-2(4)", + "NIST.800-53.r5 AC-4(26)", + "NIST.800-53.r5 AC-6(9)", + "NIST.800-53.r5 AU-10", + "NIST.800-53.r5 AU-12", + "NIST.800-53.r5 AU-2", + "NIST.800-53.r5 AU-3", + "NIST.800-53.r5 AU-6(3)", + "NIST.800-53.r5 AU-6(4)", + "NIST.800-53.r5 CA-7", + "NIST.800-53.r5 SC-7(9)", + "NIST.800-53.r5 SI-3(8)", + "NIST.800-53.r5 SI-4(20)", + "NIST.800-53.r5 SI-7(8)" + ], + "SecurityControlId": "S3.9", + "AssociatedStandards": [ + { + "StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0" + }, + { + "StandardsId": "standards/nist-800-53/v/5.0.0" + } + ] + }, + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "FindingProviderFields": { + "Severity": { + "Label": "MEDIUM", + "Original": "MEDIUM" + }, + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "ProcessedAt": "2024-07-24T19:05:18.542Z", + "AwsAccountName": "watcher" + } +] diff --git a/tests/fixtures/suppressions/full.yaml b/tests/fixtures/rules.yaml similarity index 84% rename from tests/fixtures/suppressions/full.yaml rename to tests/fixtures/rules.yaml index 4c059a1..2ed8bf5 100644 --- a/tests/fixtures/suppressions/full.yaml +++ b/tests/fixtures/rules.yaml @@ -27,3 +27,7 @@ Rules: title: 'CVE-2021-3737 - python3.10, python3.10-minimal' resource_id_regexps: - '^arn:aws:ec2:.*:.*:instance/.*$' + - note: 'We also support legacy format findings' + action: 'SUPPRESSED' + match_on: + rule_or_control_id: 'GuardDuty.5' #Legacy format diff --git a/tests/fixtures/suppressions/empty.yaml b/tests/fixtures/rules_empty.yaml similarity index 100% rename from tests/fixtures/suppressions/empty.yaml rename to tests/fixtures/rules_empty.yaml diff --git a/tests/fixtures/suppressions/legacy.yaml b/tests/fixtures/suppressions/legacy.yaml deleted file mode 100644 index 2f2c39c..0000000 --- a/tests/fixtures/suppressions/legacy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# Comments -Rules: - - note: 'I also like to live dangerously' - action: 'SUPPRESSED' - match_on: - rule_or_control_id: 'IAM.19' diff --git a/tests/fixtures/suppressions/multiple.yaml b/tests/fixtures/suppressions/multiple.yaml deleted file mode 100644 index 905a896..0000000 --- a/tests/fixtures/suppressions/multiple.yaml +++ /dev/null @@ -1,12 +0,0 @@ -# Comments -Rules: - - note: 'Maybe later' - action: 'SUPPRESSED' - match_on: - security_control_id: 'GuardDuty.1' - - note: 'Public' - action: 'SUPPRESSED' - match_on: - resource_id_regexps: - - '^arn:aws:s3:::public-bucket$' - - '^arn:aws:s3:::bucket-public$' diff --git a/tests/fixtures/suppressions/single.yaml b/tests/fixtures/suppressions/single.yaml deleted file mode 100644 index 76ba5f3..0000000 --- a/tests/fixtures/suppressions/single.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# Comments -Rules: - - note: 'I also like to live dangerously' - action: 'SUPPRESSED' - match_on: - security_control_id: 'IAM.19' diff --git a/tests/test_suppressions.py b/tests/test_suppressions.py index 1c4eb36..c862f44 100644 --- a/tests/test_suppressions.py +++ b/tests/test_suppressions.py @@ -28,8 +28,15 @@ """ from unittest.mock import patch, MagicMock -from .utils import FindingsManagerTestCase -import json +from .utils import ( + FindingsManagerTestCase, + mock_security_hub_query_response, + batch_update_findings_mock, + findings_fixture, + non_matching_findings_fixture, + expected_matched_findings_fixture, + expected_batch_update_findings, +) __author__ = '''Carlo van Overbeek ''' __docformat__ = '''google''' @@ -41,118 +48,53 @@ __email__ = '''''' __status__ = '''Development''' # "Prototype", "Development", "Production". - -with open('tests/fixtures/findings/api_consolidated.json', encoding='utf-8') as findings_file: - api_consolidated_findings_fixture = json.load(findings_file) - -with open('tests/fixtures/findings/gui_legacy.json', encoding='utf-8') as findings_file: - gui_legacy_findings_fixture = json.load(findings_file) - -with open('tests/fixtures/batch_update_findings.json', encoding='utf-8') as updates_file: - batch_update_findings_fixture = json.load(updates_file) - -with open('tests/fixtures/batch_update_findings_full.json', encoding='utf-8') as updates_file: - batch_update_findings_full_fixture = json.load(updates_file) - -full_findings_fixture = [] -for identifier in ['S3.8', 'S3.9', 'S3.14', 'S3.20', 'Inspector']: - for env in ['dev', 'acc', 'prd']: - with open(f'tests/fixtures/findings/full/{identifier}/{env}.json', encoding='utf-8') as findings_file: - full_findings_fixture.append(json.load(findings_file)) - -# this one goes together with a query based on suppressions/full.yaml -findings_by_identifier_fixture = {} -# there is no id S3.8 suppression in suppressions/full.yaml -for identifier in ['S3.9', 'S3.14', 'S3.20', 'Inspector']: - findings_by_identifier_fixture[identifier] = [] - # a query with tags already filters out the non-conforming ones, - # hence no dev for S3.14 - for env in ['dev', 'acc', 'prd'] if identifier != 'S3.14' else ['acc', 'prd']: - with open(f'tests/fixtures/findings/full/{identifier}/{env}.json', encoding='utf-8') as findings_file: - findings_by_identifier_fixture[identifier].append( - json.load(findings_file)) - -with open('tests/fixtures/matches.json', encoding='utf-8') as matches_file: - full_matches_fixture = json.load(matches_file) - - -def batch_update_findings_mock(_, payload): - return (True, payload) - - -class TestValidation(FindingsManagerTestCase): - backend_file = './tests/fixtures/suppressions/single.yaml' - - def test_basic_run(self): - self.assertEqual( - [], - self.findings_manager._construct_findings_on_matching_rules( - api_consolidated_findings_fixture['Findings']) - ) - - -class TestLegacyValidation(FindingsManagerTestCase): - backend_file = './tests/fixtures/suppressions/legacy.yaml' - - def test_basic_run(self): - self.assertEqual( - [], - self.findings_manager._construct_findings_on_matching_rules( - gui_legacy_findings_fixture) - ) - - -class TestBasicRun(FindingsManagerTestCase): - @patch( - 'awsfindingsmanagerlib.FindingsManager._get_security_hub_paginator_iterator', - lambda *_, **__: [api_consolidated_findings_fixture], - ) - @patch('awsfindingsmanagerlib.FindingsManager._batch_update_findings', side_effect=batch_update_findings_mock) - def test_basic_run(self, _batch_update_findings_mocked: MagicMock): - success, payloads = self.findings_manager.suppress_matching_findings() - self.assertTrue(success) - self.assert_batch_update_findings( - [batch_update_findings_fixture], payloads) - class TestNoSuppressions(FindingsManagerTestCase): - backend_file = './tests/fixtures/suppressions/empty.yaml' + backend_file = './tests/fixtures/rules_empty.yaml' @patch( 'awsfindingsmanagerlib.FindingsManager._get_security_hub_paginator_iterator', - lambda *_, **__: [api_consolidated_findings_fixture], + lambda *_, **__: [{'Findings': findings_fixture}], ) @patch('awsfindingsmanagerlib.FindingsManager._batch_update_findings', side_effect=batch_update_findings_mock) - def test_basic_run(self, _batch_update_findings_mocked: MagicMock): + def test_can_run_empty_rules(self, _batch_update_findings_mocked: MagicMock): + "Test if having findings but no suppression rules returns an empty list." success, payloads = self.findings_manager.suppress_matching_findings() self.assertTrue(success) self.assertListEqual([], payloads) -class TestFullSuppressions(FindingsManagerTestCase): - backend_file = './tests/fixtures/suppressions/full.yaml' +class TestSuppressions(FindingsManagerTestCase): + def test_can_ignore_non_suppressed_findings(self): + """Test if having no matches between findings and suppression rules returns an empty list.""" + self.assertEqual( + [], + self.findings_manager._construct_findings_on_matching_rules(non_matching_findings_fixture) + ) - def test_validation(self): - self.assertEqual(full_matches_fixture, - [dict(finding._data, matched_rule=finding._matched_rule._data) - for finding in self.findings_manager._construct_findings_on_matching_rules(full_findings_fixture)] - ) + def test_can_match_suppressions_with_findings(self): + """Test if having matching and non-matching findings returns only the ones that match the suppression rules.""" + matched_findings = [dict(finding._data, matched_rule=finding._matched_rule._data) + for finding in self.findings_manager._construct_findings_on_matching_rules(findings_fixture)] + self.assertEqual(len(expected_matched_findings_fixture), len(matched_findings)) + for finding in matched_findings: + self.assertIn(finding, expected_matched_findings_fixture) @patch('awsfindingsmanagerlib.FindingsManager._batch_update_findings', side_effect=batch_update_findings_mock) - def test_payload_construction(self, _batch_update_findings_mocked: MagicMock): - success, payloads = self.findings_manager.suppress_findings_on_matching_rules( - full_findings_fixture) + def test_can_suppress_using_events(self, _batch_update_findings_mocked: MagicMock): + """Test if can suppress based on findings events""" + success, suppression_updates = self.findings_manager.suppress_findings_on_matching_rules( + findings_fixture) self.assertTrue(success) self.assert_batch_update_findings( - batch_update_findings_full_fixture, payloads) + expected_batch_update_findings, suppression_updates) @patch( 'awsfindingsmanagerlib.FindingsManager._get_security_hub_paginator_iterator', - lambda *_, **kwargs: [{ - 'Findings': findings_by_identifier_fixture[kwargs['query_filter']['ComplianceSecurityControlId'][0]['Value'] if 'ComplianceSecurityControlId' in kwargs['query_filter'] else kwargs['query_filter']['ProductName'][0]['Value']] - }], + mock_security_hub_query_response, ) @patch('awsfindingsmanagerlib.FindingsManager._batch_update_findings', side_effect=batch_update_findings_mock) - def test_from_query(self, _batch_update_findings_mocked: MagicMock): - success, payloads = self.findings_manager.suppress_matching_findings() + def test_can_suppress_using_query(self, _batch_update_findings_mocked: MagicMock): + """Test if can suppress based on SecurityHub query results""" + success, suppression_updates = self.findings_manager.suppress_matching_findings() self.assertTrue(success) self.assert_batch_update_findings( - batch_update_findings_full_fixture, payloads) + expected_batch_update_findings, suppression_updates) diff --git a/tests/utils.py b/tests/utils.py index 6112457..abcc79a 100644 --- a/tests/utils.py +++ b/tests/utils.py @@ -32,6 +32,7 @@ from unittest.mock import MagicMock from unittest import TestCase from typing import List +import json __author__ = '''Carlo van Overbeek ''' __docformat__ = '''google''' @@ -43,6 +44,19 @@ __email__ = '''''' __status__ = '''Development''' # "Prototype", "Development", "Production". +with open('tests/fixtures/matching_findings.json', encoding='utf-8') as matching_findings_file: + findings_fixture = json.load(matching_findings_file) + with open('tests/fixtures/non_matching_findings.json', encoding='utf-8') as non_matching_findings_file: + findings_fixture.extend(json.load(non_matching_findings_file)) + +with open('tests/fixtures/non_matching_findings.json', encoding='utf-8') as non_matching_findings_file: + non_matching_findings_fixture = json.load(non_matching_findings_file) + +with open('tests/fixtures/expected_matched_findings.json', encoding='utf-8') as expected_matched_findings_file: + expected_matched_findings_fixture = json.load(expected_matched_findings_file) + +with open('tests/fixtures/expected_batch_update_findings.json', encoding='utf-8') as batch_update_file: + expected_batch_update_findings = json.load(batch_update_file) class FindingsManager(FindingsManagerToMock): @@ -58,9 +72,8 @@ def _get_security_hub_client(region: str): def _get_sts_client(): return MagicMock() - class FindingsManagerTestCase(TestCase): - backend_file = './tests/fixtures/suppressions/multiple.yaml' + backend_file = './tests/fixtures/rules.yaml' def setUp(self) -> None: local_backend = Local(self.backend_file) @@ -93,3 +106,27 @@ def assert_batch_update_findings(self, batch_update_findings_expected: List[dict continue else: self.assertTrue(False, f'expected call not found: {expected}') + +def batch_update_findings_mock(_, payload): + return (True, payload) + +def mock_security_hub_query_response(*_, **kwargs): + findings_by_identifier_fixture = {} + for finding in findings_fixture: + if 'Compliance' in finding and 'SecurityControlId' in finding['Compliance']: + identifier = finding['Compliance']['SecurityControlId'] + elif 'ControlId' in finding['ProductFields']: + identifier = finding['ProductFields']['ControlId'] + else: + identifier = finding['ProductName'] + findings_by_identifier_fixture.setdefault(identifier, []) + findings_by_identifier_fixture[identifier].append(finding) + + if 'ComplianceSecurityControlId' in kwargs['query_filter']: + return [{'Findings': findings_by_identifier_fixture[kwargs['query_filter']['ComplianceSecurityControlId'][0]['Value']]}] + elif 'ProductFields' in kwargs['query_filter']: + return [{'Findings': findings_by_identifier_fixture[kwargs['query_filter']['ProductFields'][0]['Value']]}] + elif 'ProductName' in kwargs['query_filter']: + return [{'Findings': findings_by_identifier_fixture[kwargs['query_filter']['ProductName'][0]['Value']]}] + else: + return [{'Findings': []}]