github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/cloudwatch/require_iam_policy_change_alarm_test.go (about)

     1  package cloudwatch
     2  
     3  import (
     4  	"testing"
     5  
     6  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     7  
     8  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/cloudtrail"
     9  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/cloudwatch"
    10  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    11  	"github.com/khulnasoft-lab/defsec/pkg/state"
    12  	"github.com/stretchr/testify/assert"
    13  )
    14  
    15  func TestCheckRequireIAMPolicyChangeAlarm(t *testing.T) {
    16  	tests := []struct {
    17  		name       string
    18  		cloudtrail cloudtrail.CloudTrail
    19  		cloudwatch cloudwatch.CloudWatch
    20  		expected   bool
    21  	}{
    22  		{
    23  			name: "Multi-region CloudTrail alarms on IAM Policy change",
    24  			cloudtrail: cloudtrail.CloudTrail{
    25  				Trails: []cloudtrail.Trail{
    26  					{
    27  						Metadata:                  defsecTypes.NewTestMetadata(),
    28  						CloudWatchLogsLogGroupArn: defsecTypes.String("arn:aws:cloudwatch:us-east-1:123456789012:log-group:cloudtrail-logging", defsecTypes.NewTestMetadata()),
    29  						IsLogging:                 defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    30  						IsMultiRegion:             defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    31  					},
    32  				},
    33  			},
    34  			cloudwatch: cloudwatch.CloudWatch{
    35  				LogGroups: []cloudwatch.LogGroup{
    36  					{
    37  						Metadata: defsecTypes.NewTestMetadata(),
    38  						Arn:      defsecTypes.String("arn:aws:cloudwatch:us-east-1:123456789012:log-group:cloudtrail-logging", defsecTypes.NewTestMetadata()),
    39  						MetricFilters: []cloudwatch.MetricFilter{
    40  							{
    41  								Metadata:   defsecTypes.NewTestMetadata(),
    42  								FilterName: defsecTypes.String("IAMPolicyChanged", defsecTypes.NewTestMetadata()),
    43  								FilterPattern: defsecTypes.String(`{($.eventName=DeleteGroupPolicy) || 
    44  ($.eventName=DeleteRolePolicy) || 
    45  ($.eventName=DeleteUserPolicy) || 
    46  ($.eventName=PutGroupPolicy) || 
    47  ($.eventName=PutRolePolicy) || 
    48  ($.eventName=PutUserPolicy) || 
    49  ($.eventName=CreatePolicy) || 
    50  ($.eventName=DeletePolicy) || 
    51  ($.eventName=CreatePolicyVersion) || 
    52  ($.eventName=DeletePolicyVersion) || 
    53  ($.eventName=AttachRolePolicy) ||
    54  ($.eventName=DetachRolePolicy) ||
    55  ($.eventName=AttachUserPolicy) || 
    56  ($.eventName=DetachUserPolicy) || 
    57  ($.eventName=AttachGroupPolicy) || 
    58  ($.eventName=DetachGroupPolicy)}`, defsecTypes.NewTestMetadata()),
    59  							},
    60  						},
    61  					},
    62  				},
    63  				Alarms: []cloudwatch.Alarm{
    64  					{
    65  						Metadata:   defsecTypes.NewTestMetadata(),
    66  						AlarmName:  defsecTypes.String("IAMPolicyChanged", defsecTypes.NewTestMetadata()),
    67  						MetricName: defsecTypes.String("IAMPolicyChanged", defsecTypes.NewTestMetadata()),
    68  						Metrics: []cloudwatch.MetricDataQuery{
    69  							{
    70  								Metadata: defsecTypes.NewTestMetadata(),
    71  								ID:       defsecTypes.String("IAMPolicyChanged", defsecTypes.NewTestMetadata()),
    72  							},
    73  						},
    74  					},
    75  				},
    76  			},
    77  			expected: false,
    78  		},
    79  		{
    80  			name: "Multi-region CloudTrail has no filter for IAM Policy change",
    81  			cloudtrail: cloudtrail.CloudTrail{
    82  				Trails: []cloudtrail.Trail{
    83  					{
    84  						Metadata:                  defsecTypes.NewTestMetadata(),
    85  						CloudWatchLogsLogGroupArn: defsecTypes.String("arn:aws:cloudwatch:us-east-1:123456789012:log-group:cloudtrail-logging", defsecTypes.NewTestMetadata()),
    86  						IsLogging:                 defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    87  						IsMultiRegion:             defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    88  					},
    89  				},
    90  			},
    91  			cloudwatch: cloudwatch.CloudWatch{
    92  				LogGroups: []cloudwatch.LogGroup{
    93  					{
    94  						Metadata:      defsecTypes.NewTestMetadata(),
    95  						Arn:           defsecTypes.String("arn:aws:cloudwatch:us-east-1:123456789012:log-group:cloudtrail-logging", defsecTypes.NewTestMetadata()),
    96  						MetricFilters: []cloudwatch.MetricFilter{},
    97  					},
    98  				},
    99  				Alarms: []cloudwatch.Alarm{
   100  					{
   101  						Metadata:  defsecTypes.NewTestMetadata(),
   102  						AlarmName: defsecTypes.String("CloudTrail_Unauthorized_API_Call", defsecTypes.NewTestMetadata()),
   103  						Metrics: []cloudwatch.MetricDataQuery{
   104  							{},
   105  						},
   106  					},
   107  				},
   108  			},
   109  			expected: true,
   110  		},
   111  	}
   112  	for _, test := range tests {
   113  		t.Run(test.name, func(t *testing.T) {
   114  			var testState state.State
   115  			testState.AWS.CloudWatch = test.cloudwatch
   116  			testState.AWS.CloudTrail = test.cloudtrail
   117  			results := requireIAMPolicyChangeAlarm.Evaluate(&testState)
   118  			var found bool
   119  			for _, result := range results {
   120  				if result.Status() == scan.StatusFailed && result.Rule().LongID() == requireIAMPolicyChangeAlarm.Rule().LongID() {
   121  					found = true
   122  				}
   123  			}
   124  			if test.expected {
   125  				assert.True(t, found, "Rule should have been found")
   126  			} else {
   127  				assert.False(t, found, "Rule should not have been found")
   128  			}
   129  		})
   130  	}
   131  }