diff --git a/aws/policy/security-services.yaml b/aws/policy/security-services.yaml index 43d8f135..310f44d0 100644 --- a/aws/policy/security-services.yaml +++ b/aws/policy/security-services.yaml @@ -127,6 +127,12 @@ Statement: - Sid: AllowGlobalUnrestrictedResourceActionsWhichIncurNoFees Effect: Allow Action: + - config:DeleteConfigRule + - config:DeleteConfigurationRecorder + - config:DeleteDeliveryChannel + - config:DescribeConfigRules + - config:DescribeConfigurationRecorders + - config:DescribeDeliveryChannels - iam:GetRole - iam:ListAttachedRolePolicies - iam:ListRoles diff --git a/aws/terminator/security_services.py b/aws/terminator/security_services.py index 5e101a7f..b1889dd6 100644 --- a/aws/terminator/security_services.py +++ b/aws/terminator/security_services.py @@ -356,6 +356,114 @@ def terminate(self): self.client.delete_saml_provider(SAMLProviderArn=self.id) +class ConfigRecorder(DbTerminator): + @staticmethod + def create(credentials): + return Terminator._create( + credentials, ConfigRecorder, 'config', + lambda client: client.describe_configuration_recorders()['ConfigurationRecorders'] + ) + + @property + def id(self): + return self.instance['name'] + + @property + def name(self): + return self.instance['name'] + + def terminate(self): + self.client.delete_configuration_recorder(ConfigurationRecorderName=self.name) + + +class ConfigAggregator(DbTerminator): + @staticmethod + def create(credentials): + return Terminator._create( + credentials, ConfigAggregator, 'config', + lambda client: client.describe_configuration_aggregators()['ConfigurationAggregators'] + ) + + @property + def id(self): + return self.instance['ConfigurationAggregatorArn'] + + @property + def name(self): + return self.instance['ConfigurationAggregatorName'] + + def terminate(self): + self.client.delete_configuration_aggregator(ConfigurationAggregatorName=self.name) + + +class ConfigAggregationAuthorization(DbTerminator): + @staticmethod + def create(credentials): + return Terminator._create( + credentials, ConfigAggregationAuthorization, 'config', + lambda client: client.describe_aggregation_authorizations()['AggregationAuthorizations'] + ) + + @property + def region(self): + return self.instance['AuthorizedAwsRegion'] + + @property + def account(self): + return self.instance['AuthorizedAccountId'] + + @property + def id(self): + return self.instance['AggregationAuthorizationArn'] + + @property + def name(self): + return self.instance['AuthorizedAccountId'] + ":" + self.instance['AuthorizedAwsRegion'] + + def terminate(self): + self.client.delete_aggregation_authorization(AuthorizedAccountId=self.account, AuthorizedAwsRegion=self.region) + + +class ConfigDeliveryChannel(DbTerminator): + @staticmethod + def create(credentials): + return Terminator._create( + credentials, ConfigDeliveryChannel, 'config', + lambda client: client.describe_delivery_channels()['DeliveryChannels'] + ) + + @property + def id(self): + return self.instance['name'] + + @property + def name(self): + return self.instance['name'] + + def terminate(self): + self.client.delete_delivery_channel(DeliveryChannelName=self.name) + + +class ConfigRule(DbTerminator): + @staticmethod + def create(credentials): + return Terminator._create( + credentials, ConfigRule, 'config', + lambda client: client.describe_config_rules()['ConfigRules'] + ) + + @property + def id(self): + return self.instance['ConfigRuleId'] + + @property + def name(self): + return self.instance['ConfigRuleName'] + + def terminate(self): + self.client.delete_config_rule(ConfigRuleName=self.name) + + class KMSKey(Terminator): @staticmethod def create(credentials): diff --git a/hacking/aws_config/test_policies/security-services.yaml b/hacking/aws_config/test_policies/security-services.yaml index 3587d3c4..eb56d705 100644 --- a/hacking/aws_config/test_policies/security-services.yaml +++ b/hacking/aws_config/test_policies/security-services.yaml @@ -1,5 +1,18 @@ Version: '2012-10-17' Statement: + + - Sid: AllowManagedPolicyAttachments + Effect: Allow + Action: + - iam:AttachRolePolicy + - iam:DetachRolePolicy + Resource: + - 'arn:aws:iam::{{ aws_account_id }}:role/ansible-test-*' + Condition: + ArnLike: + iam:PolicyArn: + - 'arn:aws:iam::aws:policy/service-role/AWSConfigRole' + - Sid: AllowGlobalUnrestrictedResourceActionsWhichIncurNoFees Effect: Allow Action: @@ -21,6 +34,9 @@ Statement: - Sid: AllowGlobalUnrestrictedResourceActionsWhichIncurFees Effect: Allow Action: + # Config has limited support for resource level restrictions + - config:PutConfigurationRecorder + - config:PutDeliveryChannel # Legacied because the current (minimal) tests don't use # { resource_prefix } yet - iam:DeleteServerCertificate @@ -77,6 +93,7 @@ Statement: - Sid: AllowGlobalRestrictedResourceActionsWhichIncurFees Effect: Allow Action: + - config:PutConfigRule - logs:CreateLogGroup - logs:PutRetentionPolicy - logs:DeleteLogGroup @@ -84,6 +101,7 @@ Statement: - cloudtrail:* - secretsmanager:* Resource: + - 'arn:aws:config:{{ aws_region }}:{{ aws_account_id }}:config-rule/*' - 'arn:aws:cloudtrail:{{ aws_region }}:{{ aws_account_id }}:trail/ansible-test-*' - 'arn:aws:logs:{{ aws_region }}:{{ aws_account_id }}:log-group:ansible-test*' - 'arn:aws:secretsmanager:{{ aws_region }}:{{ aws_account_id }}:secret:ansible-test*'