Merge branch 'main' into health-status-agent-v2

elastic · Dec 19, 2022 · fc5eda9 · fc5eda9
2 parents 1ebe7b9 + ac69988
commit fc5eda9
Show file tree

Hide file tree

Showing 11 changed files with 1,070 additions and 39 deletions.
diff --git a/deploy/aws/cloudbeat-aws.yml b/deploy/aws/cloudbeat-aws.yml
@@ -1,7 +1,7 @@
 cloudbeat:
   type: cloudbeat/cis_aws
-  access_key_id: ""
-  secret_access_key: ""
+  access_key_id: ${AWS_ACCESS_KEY_ID:""}
+  secret_access_key: ${AWS_SECRET_ACCESS_KEY:""}
   # Defines how often an event is sent to the output
   period: 30s
   fetchers:
@@ -13,6 +13,9 @@ cloudbeat:
       cis_aws:
         - cis_1_8
         - cis_1_9
+        - cis_1_10
+        - cis_1_11
+        - cis_1_13
 # =================================== Kibana ===================================
 setup.kibana:
 

diff --git a/resources/fetchers/iam_fetcher.go b/resources/fetchers/iam_fetcher.go
@@ -44,27 +44,40 @@ type IAMResource struct {
 	identity *awslib.Identity
 }
 
+// Fetch collects IAM resources, such as password-policy and IAM users.
+// The resources are enriched by the provider and being send to evaluation.
 func (f IAMFetcher) Fetch(ctx context.Context, cMetadata fetching.CycleMetadata) error {
 	f.log.Debug("Starting IAMFetcher.Fetch")
+	iamResources := make([]awslib.AwsResource, 0)
 
 	pwdPolicy, err := f.iamProvider.GetPasswordPolicy(ctx)
 	if err != nil {
-		return err
+		f.log.Errorf("Unable to fetch PasswordPolicy, error: %v", err)
+	} else {
+		iamResources = append(iamResources, pwdPolicy)
 	}
 
-	f.resourceCh <- fetching.ResourceInfo{
-		Resource: IAMResource{
-			AwsResource: pwdPolicy,
-			identity:    f.cloudIdentity,
-		},
-		CycleMetadata: cMetadata,
+	users, err := f.iamProvider.GetUsers(ctx)
+	if err != nil {
+		f.log.Errorf("Unable to fetch IAM users, error: %v", err)
+	} else {
+		iamResources = append(iamResources, users...)
+	}
+
+	for _, iamResource := range iamResources {
+		f.resourceCh <- fetching.ResourceInfo{
+			Resource: IAMResource{
+				AwsResource: iamResource,
+				identity:    f.cloudIdentity,
+			},
+			CycleMetadata: cMetadata,
+		}
 	}
 
 	return nil
 }
 
-func (f IAMFetcher) Stop() {
-}
+func (f IAMFetcher) Stop() {}
 
 func (r IAMResource) GetData() any {
 	return r.AwsResource

diff --git a/resources/fetchers/iam_fetcher_test.go b/resources/fetchers/iam_fetcher_test.go
@@ -27,6 +27,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/stretchr/testify/suite"
 	"testing"
+	"time"
 )
 
 type IamFetcherTestSuite struct {
@@ -36,10 +37,7 @@ type IamFetcherTestSuite struct {
 	resourceCh chan fetching.ResourceInfo
 }
 
-type IamProviderReturnVals struct {
-	pwdPolicy awslib.AwsResource
-	err       error
-}
+type mocksReturnVals map[string][]any
 
 func TestIamFetcherTestSuite(t *testing.T) {
 	s := new(IamFetcherTestSuite)
@@ -60,7 +58,8 @@ func (s *IamFetcherTestSuite) TearDownTest() {
 	close(s.resourceCh)
 }
 
-func (s *IamFetcherTestSuite) TestIamFetcherFetch() {
+func (s *IamFetcherTestSuite) TestIamFetcher_Fetch() {
+	testAccount := "test-account"
 	pwdPolicy := iam.PasswordPolicy{
 		ReusePreventionCount: 5,
 		RequireLowercase:     true,
@@ -71,25 +70,59 @@ func (s *IamFetcherTestSuite) TestIamFetcherFetch() {
 		MinimumLength:        8,
 	}
 
-	testAccount := "test-account"
+	iamUser := iam.User{
+		Name: "test",
+		AccessKeys: []iam.AccessKey{{
+			AccessKeyId:  "",
+			Active:       false,
+			CreationDate: time.Time{},
+			LastAccess:   time.Time{},
+			HasUsed:      false},
+		},
+		MFADevices:  nil,
+		LastAccess:  time.Time{},
+		Arn:         "testArn",
+		HasLoggedIn: false,
+	}
 
 	var tests = []struct {
-		mockReturnVal      IamProviderReturnVals
+		name               string
+		mocksReturnVals    mocksReturnVals
 		account            string
 		numExpectedResults int
 	}{
 		{
-			mockReturnVal: IamProviderReturnVals{
-				pwdPolicy: pwdPolicy,
-				err:       nil,
+			name: "Should get password policy and an IAM user",
+			mocksReturnVals: mocksReturnVals{
+				"GetPasswordPolicy": {pwdPolicy, nil},
+				"GetUsers":          {[]awslib.AwsResource{iamUser}, nil},
+			},
+			account:            testAccount,
+			numExpectedResults: 2,
+		},
+		{
+			name: "Receives only an IAM user due to an error in GetPasswordPolicy",
+			mocksReturnVals: mocksReturnVals{
+				"GetPasswordPolicy": {nil, errors.New("Fail to fetch pwd policy")},
+				"GetUsers":          {[]awslib.AwsResource{iamUser}, nil},
 			},
 			account:            testAccount,
 			numExpectedResults: 1,
 		},
 		{
-			mockReturnVal: IamProviderReturnVals{
-				pwdPolicy: nil,
-				err:       errors.New("Fail to fetch pwd policy"),
+			name: "Should get only a password policy resource due to an error in GetUsers",
+			mocksReturnVals: mocksReturnVals{
+				"GetPasswordPolicy": {pwdPolicy, nil},
+				"GetUsers":          {nil, errors.New("Fail to fetch iam users")},
+			},
+			account:            testAccount,
+			numExpectedResults: 1,
+		},
+		{
+			name: "Should not get any IAM resources",
+			mocksReturnVals: mocksReturnVals{
+				"GetPasswordPolicy": {nil, errors.New("Fail to fetch pwd policy")},
+				"GetUsers":          {nil, errors.New("Fail to fetch iam users")},
 			},
 			account:            testAccount,
 			numExpectedResults: 0,
@@ -101,12 +134,14 @@ func (s *IamFetcherTestSuite) TestIamFetcherFetch() {
 			AwsBaseFetcherConfig: fetching.AwsBaseFetcherConfig{},
 		}
 
-		iamProvider := &iam.MockAccessManagement{}
-		iamProvider.EXPECT().GetPasswordPolicy(context.TODO()).Return(test.mockReturnVal.pwdPolicy, test.mockReturnVal.err)
+		iamProviderMock := &iam.MockAccessManagement{}
+		for funcName, returnVals := range test.mocksReturnVals {
+			iamProviderMock.On(funcName, context.TODO()).Return(returnVals...)
+		}
 
-		eksFetcher := IAMFetcher{
+		iamFetcher := IAMFetcher{
 			log:         s.log,
-			iamProvider: iamProvider,
+			iamProvider: iamProviderMock,
 			cfg:         iamCfg,
 			resourceCh:  s.resourceCh,
 			cloudIdentity: &awslib.Identity{
@@ -116,12 +151,10 @@ func (s *IamFetcherTestSuite) TestIamFetcherFetch() {
 
 		ctx := context.Background()
 
-		err := eksFetcher.Fetch(ctx, fetching.CycleMetadata{})
-		results := testhelper.CollectResources(s.resourceCh)
+		err := iamFetcher.Fetch(ctx, fetching.CycleMetadata{})
+		s.NoError(err)
 
-		s.Equal(len(results), test.numExpectedResults)
-		if test.mockReturnVal.err == nil {
-			s.NoError(err)
-		}
+		results := testhelper.CollectResources(s.resourceCh)
+		s.Equal(test.numExpectedResults, len(results))
 	}
 }
diff --git a/resources/fetching/fetcher.go b/resources/fetching/fetcher.go
@@ -30,6 +30,7 @@ const (
 	EcrType       = "aws-ecr"
 	IAMType       = "aws-iam"
 	ElbType       = "aws-elb"
+	IAMUserType   = "aws-iam-user"
 	PwdPolicyType = "aws-password-policy"
 	EksType       = "aws-eks"