github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/cloudwatch/require_iam_policy_change_alarm_test.go (about) 1 package cloudwatch 2 3 import ( 4 "testing" 5 6 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 7 8 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/cloudtrail" 9 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/cloudwatch" 10 "github.com/khulnasoft-lab/defsec/pkg/scan" 11 "github.com/khulnasoft-lab/defsec/pkg/state" 12 "github.com/stretchr/testify/assert" 13 ) 14 15 func TestCheckRequireIAMPolicyChangeAlarm(t *testing.T) { 16 tests := []struct { 17 name string 18 cloudtrail cloudtrail.CloudTrail 19 cloudwatch cloudwatch.CloudWatch 20 expected bool 21 }{ 22 { 23 name: "Multi-region CloudTrail alarms on IAM Policy change", 24 cloudtrail: cloudtrail.CloudTrail{ 25 Trails: []cloudtrail.Trail{ 26 { 27 Metadata: defsecTypes.NewTestMetadata(), 28 CloudWatchLogsLogGroupArn: defsecTypes.String("arn:aws:cloudwatch:us-east-1:123456789012:log-group:cloudtrail-logging", defsecTypes.NewTestMetadata()), 29 IsLogging: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 30 IsMultiRegion: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 31 }, 32 }, 33 }, 34 cloudwatch: cloudwatch.CloudWatch{ 35 LogGroups: []cloudwatch.LogGroup{ 36 { 37 Metadata: defsecTypes.NewTestMetadata(), 38 Arn: defsecTypes.String("arn:aws:cloudwatch:us-east-1:123456789012:log-group:cloudtrail-logging", defsecTypes.NewTestMetadata()), 39 MetricFilters: []cloudwatch.MetricFilter{ 40 { 41 Metadata: defsecTypes.NewTestMetadata(), 42 FilterName: defsecTypes.String("IAMPolicyChanged", defsecTypes.NewTestMetadata()), 43 FilterPattern: defsecTypes.String(`{($.eventName=DeleteGroupPolicy) || 44 ($.eventName=DeleteRolePolicy) || 45 ($.eventName=DeleteUserPolicy) || 46 ($.eventName=PutGroupPolicy) || 47 ($.eventName=PutRolePolicy) || 48 ($.eventName=PutUserPolicy) || 49 ($.eventName=CreatePolicy) || 50 ($.eventName=DeletePolicy) || 51 ($.eventName=CreatePolicyVersion) || 52 ($.eventName=DeletePolicyVersion) || 53 ($.eventName=AttachRolePolicy) || 54 ($.eventName=DetachRolePolicy) || 55 ($.eventName=AttachUserPolicy) || 56 ($.eventName=DetachUserPolicy) || 57 ($.eventName=AttachGroupPolicy) || 58 ($.eventName=DetachGroupPolicy)}`, defsecTypes.NewTestMetadata()), 59 }, 60 }, 61 }, 62 }, 63 Alarms: []cloudwatch.Alarm{ 64 { 65 Metadata: defsecTypes.NewTestMetadata(), 66 AlarmName: defsecTypes.String("IAMPolicyChanged", defsecTypes.NewTestMetadata()), 67 MetricName: defsecTypes.String("IAMPolicyChanged", defsecTypes.NewTestMetadata()), 68 Metrics: []cloudwatch.MetricDataQuery{ 69 { 70 Metadata: defsecTypes.NewTestMetadata(), 71 ID: defsecTypes.String("IAMPolicyChanged", defsecTypes.NewTestMetadata()), 72 }, 73 }, 74 }, 75 }, 76 }, 77 expected: false, 78 }, 79 { 80 name: "Multi-region CloudTrail has no filter for IAM Policy change", 81 cloudtrail: cloudtrail.CloudTrail{ 82 Trails: []cloudtrail.Trail{ 83 { 84 Metadata: defsecTypes.NewTestMetadata(), 85 CloudWatchLogsLogGroupArn: defsecTypes.String("arn:aws:cloudwatch:us-east-1:123456789012:log-group:cloudtrail-logging", defsecTypes.NewTestMetadata()), 86 IsLogging: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 87 IsMultiRegion: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 88 }, 89 }, 90 }, 91 cloudwatch: cloudwatch.CloudWatch{ 92 LogGroups: []cloudwatch.LogGroup{ 93 { 94 Metadata: defsecTypes.NewTestMetadata(), 95 Arn: defsecTypes.String("arn:aws:cloudwatch:us-east-1:123456789012:log-group:cloudtrail-logging", defsecTypes.NewTestMetadata()), 96 MetricFilters: []cloudwatch.MetricFilter{}, 97 }, 98 }, 99 Alarms: []cloudwatch.Alarm{ 100 { 101 Metadata: defsecTypes.NewTestMetadata(), 102 AlarmName: defsecTypes.String("CloudTrail_Unauthorized_API_Call", defsecTypes.NewTestMetadata()), 103 Metrics: []cloudwatch.MetricDataQuery{ 104 {}, 105 }, 106 }, 107 }, 108 }, 109 expected: true, 110 }, 111 } 112 for _, test := range tests { 113 t.Run(test.name, func(t *testing.T) { 114 var testState state.State 115 testState.AWS.CloudWatch = test.cloudwatch 116 testState.AWS.CloudTrail = test.cloudtrail 117 results := requireIAMPolicyChangeAlarm.Evaluate(&testState) 118 var found bool 119 for _, result := range results { 120 if result.Status() == scan.StatusFailed && result.Rule().LongID() == requireIAMPolicyChangeAlarm.Rule().LongID() { 121 found = true 122 } 123 } 124 if test.expected { 125 assert.True(t, found, "Rule should have been found") 126 } else { 127 assert.False(t, found, "Rule should not have been found") 128 } 129 }) 130 } 131 }