From 1746374fd88c8e465fcaa2fd5447995178d153a4 Mon Sep 17 00:00:00 2001 From: Mark Chappell Date: Wed, 24 Feb 2021 07:43:26 +0100 Subject: [PATCH 1/3] Add terminator support for AWS Config objects --- aws/terminator/security_services.py | 108 ++++++++++++++++++++++++++++ 1 file changed, 108 insertions(+) diff --git a/aws/terminator/security_services.py b/aws/terminator/security_services.py index 5e101a7f..b1889dd6 100644 --- a/aws/terminator/security_services.py +++ b/aws/terminator/security_services.py @@ -356,6 +356,114 @@ def terminate(self): self.client.delete_saml_provider(SAMLProviderArn=self.id) +class ConfigRecorder(DbTerminator): + @staticmethod + def create(credentials): + return Terminator._create( + credentials, ConfigRecorder, 'config', + lambda client: client.describe_configuration_recorders()['ConfigurationRecorders'] + ) + + @property + def id(self): + return self.instance['name'] + + @property + def name(self): + return self.instance['name'] + + def terminate(self): + self.client.delete_configuration_recorder(ConfigurationRecorderName=self.name) + + +class ConfigAggregator(DbTerminator): + @staticmethod + def create(credentials): + return Terminator._create( + credentials, ConfigAggregator, 'config', + lambda client: client.describe_configuration_aggregators()['ConfigurationAggregators'] + ) + + @property + def id(self): + return self.instance['ConfigurationAggregatorArn'] + + @property + def name(self): + return self.instance['ConfigurationAggregatorName'] + + def terminate(self): + self.client.delete_configuration_aggregator(ConfigurationAggregatorName=self.name) + + +class ConfigAggregationAuthorization(DbTerminator): + @staticmethod + def create(credentials): + return Terminator._create( + credentials, ConfigAggregationAuthorization, 'config', + lambda client: client.describe_aggregation_authorizations()['AggregationAuthorizations'] + ) + + @property + def region(self): + return self.instance['AuthorizedAwsRegion'] + + @property + def account(self): + return self.instance['AuthorizedAccountId'] + + @property + def id(self): + return self.instance['AggregationAuthorizationArn'] + + @property + def name(self): + return self.instance['AuthorizedAccountId'] + ":" + self.instance['AuthorizedAwsRegion'] + + def terminate(self): + self.client.delete_aggregation_authorization(AuthorizedAccountId=self.account, AuthorizedAwsRegion=self.region) + + +class ConfigDeliveryChannel(DbTerminator): + @staticmethod + def create(credentials): + return Terminator._create( + credentials, ConfigDeliveryChannel, 'config', + lambda client: client.describe_delivery_channels()['DeliveryChannels'] + ) + + @property + def id(self): + return self.instance['name'] + + @property + def name(self): + return self.instance['name'] + + def terminate(self): + self.client.delete_delivery_channel(DeliveryChannelName=self.name) + + +class ConfigRule(DbTerminator): + @staticmethod + def create(credentials): + return Terminator._create( + credentials, ConfigRule, 'config', + lambda client: client.describe_config_rules()['ConfigRules'] + ) + + @property + def id(self): + return self.instance['ConfigRuleId'] + + @property + def name(self): + return self.instance['ConfigRuleName'] + + def terminate(self): + self.client.delete_config_rule(ConfigRuleName=self.name) + + class KMSKey(Terminator): @staticmethod def create(credentials): From 32275d5b4a3dff51d89a9e679e042c1fecda3031 Mon Sep 17 00:00:00 2001 From: Mark Chappell Date: Wed, 24 Feb 2021 07:44:36 +0100 Subject: [PATCH 2/3] 'unsupported' Policy for aws_config --- .../test_policies/security-services.yaml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/hacking/aws_config/test_policies/security-services.yaml b/hacking/aws_config/test_policies/security-services.yaml index 3587d3c4..5595ab59 100644 --- a/hacking/aws_config/test_policies/security-services.yaml +++ b/hacking/aws_config/test_policies/security-services.yaml @@ -1,11 +1,30 @@ Version: '2012-10-17' Statement: + + - Sid: AllowManagedPolicyAttachments + Effect: Allow + Action: + - iam:AttachRolePolicy + - iam:DetachRolePolicy + Resource: + - 'arn:aws:iam::{{ aws_account_id }}:role/ansible-test-*' + Condition: + ArnLike: + iam:PolicyArn: + - 'arn:aws:iam::aws:policy/service-role/AWSConfigRole' + - Sid: AllowGlobalUnrestrictedResourceActionsWhichIncurNoFees Effect: Allow Action: - cloudtrail:DescribeTrails - cloudtrail:ListTags - cloudtrail:ListPublicKeys + - config:DeleteConfigRule + - config:DeleteConfigurationRecorder + - config:DeleteDeliveryChannel + - config:DescribeConfigRules + - config:DescribeConfigurationRecorders + - config:DescribeDeliveryChannels - iam:GetPolicy - iam:GetPolicyVersion - iam:GetRolePolicy @@ -21,6 +40,9 @@ Statement: - Sid: AllowGlobalUnrestrictedResourceActionsWhichIncurFees Effect: Allow Action: + # Config has limited support for resource level restrictions + - config:PutConfigurationRecorder + - config:PutDeliveryChannel # Legacied because the current (minimal) tests don't use # { resource_prefix } yet - iam:DeleteServerCertificate @@ -77,6 +99,7 @@ Statement: - Sid: AllowGlobalRestrictedResourceActionsWhichIncurFees Effect: Allow Action: + - config:PutConfigRule - logs:CreateLogGroup - logs:PutRetentionPolicy - logs:DeleteLogGroup @@ -84,6 +107,7 @@ Statement: - cloudtrail:* - secretsmanager:* Resource: + - 'arn:aws:config:{{ aws_region }}:{{ aws_account_id }}:config-rule/*' - 'arn:aws:cloudtrail:{{ aws_region }}:{{ aws_account_id }}:trail/ansible-test-*' - 'arn:aws:logs:{{ aws_region }}:{{ aws_account_id }}:log-group:ansible-test*' - 'arn:aws:secretsmanager:{{ aws_region }}:{{ aws_account_id }}:secret:ansible-test*' From 62b0698ca22c15c900399484ff9756a0af6bc7d6 Mon Sep 17 00:00:00 2001 From: Mark Chappell Date: Fri, 12 Mar 2021 06:56:18 +0100 Subject: [PATCH 3/3] Move Describe/Delete rules into main policy so terminator doesn't fail --- aws/policy/security-services.yaml | 6 ++++++ hacking/aws_config/test_policies/security-services.yaml | 6 ------ 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/aws/policy/security-services.yaml b/aws/policy/security-services.yaml index 43d8f135..310f44d0 100644 --- a/aws/policy/security-services.yaml +++ b/aws/policy/security-services.yaml @@ -127,6 +127,12 @@ Statement: - Sid: AllowGlobalUnrestrictedResourceActionsWhichIncurNoFees Effect: Allow Action: + - config:DeleteConfigRule + - config:DeleteConfigurationRecorder + - config:DeleteDeliveryChannel + - config:DescribeConfigRules + - config:DescribeConfigurationRecorders + - config:DescribeDeliveryChannels - iam:GetRole - iam:ListAttachedRolePolicies - iam:ListRoles diff --git a/hacking/aws_config/test_policies/security-services.yaml b/hacking/aws_config/test_policies/security-services.yaml index 5595ab59..eb56d705 100644 --- a/hacking/aws_config/test_policies/security-services.yaml +++ b/hacking/aws_config/test_policies/security-services.yaml @@ -19,12 +19,6 @@ Statement: - cloudtrail:DescribeTrails - cloudtrail:ListTags - cloudtrail:ListPublicKeys - - config:DeleteConfigRule - - config:DeleteConfigurationRecorder - - config:DeleteDeliveryChannel - - config:DescribeConfigRules - - config:DescribeConfigurationRecorders - - config:DescribeDeliveryChannels - iam:GetPolicy - iam:GetPolicyVersion - iam:GetRolePolicy