Add support for AWS config resources - terminator and hacking policy

aws/policy/security-services.yaml

@@ -127,6 +127,12 @@ Statement:
   - Sid: AllowGlobalUnrestrictedResourceActionsWhichIncurNoFees
     Effect: Allow
     Action:
+      - config:DeleteConfigRule
+      - config:DeleteConfigurationRecorder
+      - config:DeleteDeliveryChannel
+      - config:DescribeConfigRules
+      - config:DescribeConfigurationRecorders
+      - config:DescribeDeliveryChannels
       - iam:GetRole
       - iam:ListAttachedRolePolicies
       - iam:ListRoles

aws/terminator/security_services.py

@@ -356,6 +356,114 @@ def terminate(self):
         self.client.delete_saml_provider(SAMLProviderArn=self.id)
 
 
+class ConfigRecorder(DbTerminator):
+    @staticmethod
+    def create(credentials):
+        return Terminator._create(
+            credentials, ConfigRecorder, 'config',
+            lambda client: client.describe_configuration_recorders()['ConfigurationRecorders']
+        )
+
+    @property
+    def id(self):
+        return self.instance['name']
+
+    @property
+    def name(self):
+        return self.instance['name']
+
+    def terminate(self):
+        self.client.delete_configuration_recorder(ConfigurationRecorderName=self.name)
+
+
+class ConfigAggregator(DbTerminator):
+    @staticmethod
+    def create(credentials):
+        return Terminator._create(
+            credentials, ConfigAggregator, 'config',
+            lambda client: client.describe_configuration_aggregators()['ConfigurationAggregators']
+        )
+
+    @property
+    def id(self):
+        return self.instance['ConfigurationAggregatorArn']
+
+    @property
+    def name(self):
+        return self.instance['ConfigurationAggregatorName']
+
+    def terminate(self):
+        self.client.delete_configuration_aggregator(ConfigurationAggregatorName=self.name)
+
+
+class ConfigAggregationAuthorization(DbTerminator):
+    @staticmethod
+    def create(credentials):
+        return Terminator._create(
+            credentials, ConfigAggregationAuthorization, 'config',
+            lambda client: client.describe_aggregation_authorizations()['AggregationAuthorizations']
+        )
+
+    @property
+    def region(self):
+        return self.instance['AuthorizedAwsRegion']
+
+    @property
+    def account(self):
+        return self.instance['AuthorizedAccountId']
+
+    @property
+    def id(self):
+        return self.instance['AggregationAuthorizationArn']
+
+    @property
+    def name(self):
+        return self.instance['AuthorizedAccountId'] + ":" + self.instance['AuthorizedAwsRegion']
+
+    def terminate(self):
+        self.client.delete_aggregation_authorization(AuthorizedAccountId=self.account, AuthorizedAwsRegion=self.region)
+
+
+class ConfigDeliveryChannel(DbTerminator):
+    @staticmethod
+    def create(credentials):
+        return Terminator._create(
+            credentials, ConfigDeliveryChannel, 'config',
+            lambda client: client.describe_delivery_channels()['DeliveryChannels']
+        )
+
+    @property
+    def id(self):
+        return self.instance['name']
+
+    @property
+    def name(self):
+        return self.instance['name']
+
+    def terminate(self):
+        self.client.delete_delivery_channel(DeliveryChannelName=self.name)
+
+
+class ConfigRule(DbTerminator):
+    @staticmethod
+    def create(credentials):
+        return Terminator._create(
+            credentials, ConfigRule, 'config',
+            lambda client: client.describe_config_rules()['ConfigRules']
+        )
+
+    @property
+    def id(self):
+        return self.instance['ConfigRuleId']
+
+    @property
+    def name(self):
+        return self.instance['ConfigRuleName']
+
+    def terminate(self):
+        self.client.delete_config_rule(ConfigRuleName=self.name)
+
+
 class KMSKey(Terminator):
     @staticmethod
     def create(credentials):

hacking/aws_config/test_policies/security-services.yaml

@@ -1,5 +1,18 @@
 Version: '2012-10-17'
 Statement:
+
+  - Sid: AllowManagedPolicyAttachments
+    Effect: Allow
+    Action:
+      - iam:AttachRolePolicy
+      - iam:DetachRolePolicy
+    Resource:
+      - 'arn:aws:iam::{{ aws_account_id }}:role/ansible-test-*'
+    Condition:
+      ArnLike:
+        iam:PolicyArn:
+          - 'arn:aws:iam::aws:policy/service-role/AWSConfigRole'
+
   - Sid: AllowGlobalUnrestrictedResourceActionsWhichIncurNoFees
     Effect: Allow
     Action:
@@ -21,6 +34,9 @@ Statement:
   - Sid: AllowGlobalUnrestrictedResourceActionsWhichIncurFees
     Effect: Allow
     Action:
+      # Config has limited support for resource level restrictions
+      - config:PutConfigurationRecorder
+      - config:PutDeliveryChannel
       # Legacied because the current (minimal) tests don't use
       # { resource_prefix } yet
       - iam:DeleteServerCertificate
@@ -77,13 +93,15 @@ Statement:
   - Sid: AllowGlobalRestrictedResourceActionsWhichIncurFees
     Effect: Allow
     Action:
+      - config:PutConfigRule
       - logs:CreateLogGroup
       - logs:PutRetentionPolicy
       - logs:DeleteLogGroup
       # Legacied
       - cloudtrail:*
       - secretsmanager:*
     Resource:
+      - 'arn:aws:config:{{ aws_region }}:{{ aws_account_id }}:config-rule/*'
       - 'arn:aws:cloudtrail:{{ aws_region }}:{{ aws_account_id }}:trail/ansible-test-*'
       - 'arn:aws:logs:{{ aws_region }}:{{ aws_account_id }}:log-group:ansible-test*'
       - 'arn:aws:secretsmanager:{{ aws_region }}:{{ aws_account_id }}:secret:ansible-test*'