Merge branch 'main' of github.com:aws-samples/preventive-security-controls-in-pulumi-iac-pipeline into main

aarthkan · aarthkan · commit 5f3372f91691 · 2023-01-04T22:09:48.000+08:00
diff --git a/README.md b/README.md
@@ -39,12 +39,24 @@ The preventive controls and policies have been written as code and stored in the
 
 #### Packaging & Distributing Pulumi CrossGuard Custom Policy packs using AWS CodeArtifact
 The folder named *customer-policy-crossguard-pkg* contains the code and the documents required for packaging a Python project into a package that can be easily distributed, without having to copy the source code. This folder needs to be uploaded into a CodeCommit repository, and future changes and distributions managed from there. Refer to this [link](https://docs.aws.amazon.com/codecommit/latest/userguide/how-to-create-repository.html) for more information on how to create a CodeCommit repository. This repository is maintained typically by the Security Engineering team. 
+
+Example how to create CodeCommit repository with AWS CLI:
+```bash
+    aws codecommit create-repository --repository-name custom-policy-crossguard-pkg --repository-description "Pulumi CrossGuard Policies repository"
+```
+
+Refer to the detailed instructions how to create [a CodeArtifact domain](https://docs.aws.amazon.com/codeartifact/latest/ug/domain-create.html) and [a CodeArtifact repository](https://docs.aws.amazon.com/codeartifact/latest/ug/create-repo.html) in the domain. Example how to create CodeArtifact domain and repository using AWS CLI:
+```bash
+    aws codeartifact create-domain --domain <domain-name>
+    aws codeartifact create-repository --domain <domain-name> --domain-owner <aws-account-id> --repository <repository-name> --description "Pulumi CrossGuard policies packages"
+```
+
 The file *setup.cfg* contains the details of the package including the name and version number. Within the *src/* folder is the project folder that will be distributed as a package to be installed via pip.
 
 To generate the distribution packages, the following commands are to be run from the same folder where *pyproject.toml* is located.
 
 ```bash
-    python3 -m pip install –upgrade build
+    python3 -m pip install --upgrade build
     python3 -m build 
 ```
 
@@ -60,18 +72,18 @@ To upload the generated distribution archives, we use the twine package. The ins
 
 ```bash
     python3 -m pip install --upgrade twine
-    aws codeartifact login --tool twine --repository pulumi --domain pac --domain-owner <account Id>
+    aws codeartifact login --tool twine --repository <repository-name> --domain <domain-name> --domain-owner <aws-account-id>
     export TWINE_USERNAME=aws
-    export TWINE_PASSWORD=`aws codeartifact get-authorization-token --domain acme --domain-owner <account Id> --query authorizationToken --output text`
-    export TWINE_REPOSITORY_URL=`aws codeartifact get-repository-endpoint --domain acme --domain-owner <account Id> --repository custompolicypack --format pypi --query repositoryEndpoint --output text`
-    python3 -m twine upload --repository pulumi dist/*  
+    export TWINE_PASSWORD=`aws codeartifact get-authorization-token --domain <domain-name> --domain-owner <aws-account-id> --query authorizationToken --output text`
+    export TWINE_REPOSITORY_URL=`aws codeartifact get-repository-endpoint --domain <domain-name> --domain-owner <aws-account-id> --repository <repository-name> --format pypi --query repositoryEndpoint --output text`
+    python3 -m twine upload --repository <repository-name> dist/*  
 ```
     
 This will upload the package to AWS CodeArtifact. This method allows for managing versions of the policy-as-code easily.  
 To download the package and use it within the pipeline for policy enforcement, some additional commands are to be added into the *buildspec.yml* file for the pipeline. Specifically, these following command connects to the CodeArtifact repository and enable pip to download our custom package later. A sample buildspec file has been provided here *sample-code/sample-build-file/buildspec.yaml*.
 
 ```bash
-    aws codeartifact login --tool pip --repository pulumi --domain pac --domain-owner <account Id>
+    aws codeartifact login --tool pip --repository <repository-name> --domain <domain-name> --domain-owner <aws-account-id>
 ```
 
 The preventative checks in the custom policy package cover the following items mapped to checks from *[Prowler](https://github.com/prowler-cloud/prowler)*. Prowler is an open-source security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains more than 200 controls covering CIS, PCI-DSS, ISO27001, GDPR, HIPAA, FFIEC, SOC2, AWS FTR, ENS and custom security frameworks.
diff --git a/custom-policy-crossguard-pkg/pyawsguard/src/pyawsguard/ec2_checks.py b/custom-policy-crossguard-pkg/pyawsguard/src/pyawsguard/ec2_checks.py
@@ -30,8 +30,6 @@
 import datetime
 import os
 
-from pyawsguard.metric_object import metric
-
 
 ###################################
 # EC2 - Security Groups
diff --git a/custom-policy-crossguard-pkg/pyawsguard/src/pyawsguard/s3_checks.py b/custom-policy-crossguard-pkg/pyawsguard/src/pyawsguard/s3_checks.py
@@ -54,14 +54,11 @@ def s3_public_access_block_validator(args: ResourceValidationArgs, report_violat
 # S3 Bucket policy validator
 def s3_ssl_requests_validator(args: ResourceValidationArgs, report_violation: ReportViolation):
     if args.resource_type == "aws:s3/bucketPolicy:BucketPolicy":
-        f = open('data.txt', 'w')
         if "policy" in args.props:
             flag = 0
             policy = json.loads(args.props["policy"])
-            if "Statement" in policy:
+            if 'Statement' in policy:
                 for stmt in policy["Statement"]:
-                    print(stmt["Condition"])
-                    print(stmt["Condition"]["Bool"])
                     if "Condition" in stmt and "Bool" in stmt["Condition"] and "aws:SecureTransport" in stmt["Condition"]["Bool"] and stmt["Condition"]["Bool"]["aws:SecureTransport"] == "false":
                         flag = 1
                         break
diff --git a/sample-code/sample-build-file/buildspec.yaml b/sample-code/sample-build-file/buildspec.yaml
@@ -42,7 +42,12 @@ phases:
       #
       # Static Analysis
       #
-
+      
+      #
+      # NOTE: When setting up an AWS CodeBuild project, make sure that sample-code/sample-resources/ is passed in 
+      # as the Source Directory to AWS CodeBuild. This can be verified by echoing the value of the
+      # environment variable 'CODEBUILD_SRC_DIR'
+      #
       - cd $CODEBUILD_SRC_DIR/resources
 
       # Bandit
diff --git a/sample-code/sample-resources/checks/custom-policy-crossguard/requirements.txt b/sample-code/sample-resources/checks/custom-policy-crossguard/requirements.txt
@@ -1,3 +1,3 @@
-pulumi-policy==1.4.0
-pulumi-aws==4.33.1
+pulumi_policy>=1.5.0,<2.0.0clear
+pulumi-aws>=4.0.0,<5.0.0
 ## Please add the name of the custom package deployed to AWS codeArtifact

Original file line number	Diff line number	Diff line change
`@@ -42,7 +42,12 @@ phases:`
`42`	`42`	`#`
`43`	`43`	`# Static Analysis`
`44`	`44`	`#`
`45`		`-`
	`45`	`+`
	`46`	`+ #`
	`47`	`+ # NOTE: When setting up an AWS CodeBuild project, make sure that sample-code/sample-resources/ is passed in`
	`48`	`+ # as the Source Directory to AWS CodeBuild. This can be verified by echoing the value of the`
	`49`	`+ # environment variable 'CODEBUILD_SRC_DIR'`
	`50`	`+ #`
`46`	`51`	`- cd $CODEBUILD_SRC_DIR/resources`
`47`	`52`
`48`	`53`	`# Bandit`