feat: Implement CIS AWS v1.5.0 Section 1.16 and 1.20 (#13290)

Aruneko · web-flow · commit 7eb3e06f93da · 2023-08-23T09:59:30.000Z
#### Summary

I have implemented CIS AWS v1.5.0 Section 1.16 and 1.20

- Section 1.16
  - I use existing one.
- Section 1.20
  - I fixed existing query for the current table definition.
diff --git a/plugins/source/aws/policies/cis_v1.5.0/section_1.sql b/plugins/source/aws/policies/cis_v1.5.0/section_1.sql
@@ -40,7 +40,8 @@
 \echo "Executing check 1.15"
 \ir ../queries/iam/policies_attached_to_groups_roles.sql
 \set check_id '1.16'
-    -- todo svc.ListPolicies is not used (implement it and then do a check)
+\echo "Executing check 1.16"
+\ir ../queries/iam/no_star.sql
 \set check_id '1.17'
     -- todo svc.ListPolicies is not used (implement it and then do a check)
 \set check_id '1.18'
@@ -50,6 +51,6 @@
 \ir ../queries/iam/server_certificates_expired.sql
 \set check_id '1.20'
 \echo "Executing check 1.20"
--- \ir ../queries/accessanalyzer/regions_with_no_accessanalyzers.sql
+\ir ../queries/accessanalyzer/regions_with_no_accessanalyzers.sql
 \set check_id '1.21'
     -- manual
diff --git a/plugins/source/aws/policies/queries/accessanalyzer/regions_with_no_accessanalyzers.sql b/plugins/source/aws/policies/queries/accessanalyzer/regions_with_no_accessanalyzers.sql
@@ -1,23 +1,20 @@
 insert into aws_policy_results
-WITH regions_with_enabled_accessanalyzer
-         AS (SELECT ar.region AS analyzed_region
-             FROM aws_regions ar
-                      LEFT JOIN aws_accessanalyzer_analyzers aaaa ON
-                 ar.region = aaaa.region
-             WHERE aaaa.status = 'ACTIVE')
-SELECT :'execution_time'                                                        AS execution_time,
-       :'framework'                                                             AS framework,
-       :'check_id'                                                              AS check_id,
-       'Ensure that IAM Access analyzer is enabled for all regions (Automated)' AS title,
-       account_id,
-       region                                                                   AS resource_id,
-       CASE
-           WHEN
-                   aregion.analyzed_region IS NULL
-                   AND ar.enabled = TRUE
-               THEN 'fail'
-           ELSE 'pass'
-           END                                                                  AS status
-FROM aws_regions ar
-         LEFT JOIN regions_with_enabled_accessanalyzer aregion ON
-    ar.region = aregion.analyzed_region;
+SELECT 
+    :'execution_time'                                                        AS execution_time,
+    :'framework'                                                             AS framework,
+    :'check_id'                                                              AS check_id,
+    'Ensure that IAM Access analyzer is enabled for all regions (Automated)' AS title,
+    ar.account_id,
+    ar.region                                                                AS resource_id,
+    CASE
+        WHEN
+            ar.enabled
+            AND aregion.region IS NULL
+            AND aregion.status IS DISTINCT FROM 'ACTIVE'
+        THEN 'fail'
+        ELSE 'pass'
+    END                                                                      AS status
+FROM
+    aws_regions ar
+    LEFT JOIN aws_accessanalyzer_analyzers aregion ON
+        ar.region = aregion.region;
diff --git a/website/tables/aws/aws_accessanalyzer_analyzers.md b/website/tables/aws/aws_accessanalyzer_analyzers.md
@@ -37,32 +37,23 @@ These SQL queries are sampled from CloudQuery policies and are compatible with P
 ### Ensure that IAM Access analyzer is enabled for all regions (Automated)
 
 ```sql
-WITH
-  regions_with_enabled_accessanalyzer
-    AS (
-      SELECT
-        ar.region AS analyzed_region
-      FROM
-        aws_regions AS ar
-        LEFT JOIN aws_accessanalyzer_analyzers AS aaaa ON
-            ar.region = aaaa.region
-      WHERE
-        aaaa.status = 'ACTIVE'
-    )
 SELECT
   'Ensure that IAM Access analyzer is enabled for all regions (Automated)'
     AS title,
-  account_id,
-  region AS resource_id,
+  ar.account_id,
+  ar.region AS resource_id,
   CASE
-  WHEN aregion.analyzed_region IS NULL AND ar.enabled = true THEN 'fail'
+  WHEN ar.enabled
+  AND aregion.region IS NULL
+  AND aregion.status IS DISTINCT FROM 'ACTIVE'
+  THEN 'fail'
   ELSE 'pass'
   END
     AS status
 FROM
   aws_regions AS ar
-  LEFT JOIN regions_with_enabled_accessanalyzer AS aregion ON
-      ar.region = aregion.analyzed_region;
+  LEFT JOIN aws_accessanalyzer_analyzers AS aregion ON
+      ar.region = aregion.region;
 ```
 
 
diff --git a/website/tables/aws/aws_regions.md b/website/tables/aws/aws_regions.md
@@ -27,32 +27,23 @@ These SQL queries are sampled from CloudQuery policies and are compatible with P
 ### Ensure that IAM Access analyzer is enabled for all regions (Automated)
 
 ```sql
-WITH
-  regions_with_enabled_accessanalyzer
-    AS (
-      SELECT
-        ar.region AS analyzed_region
-      FROM
-        aws_regions AS ar
-        LEFT JOIN aws_accessanalyzer_analyzers AS aaaa ON
-            ar.region = aaaa.region
-      WHERE
-        aaaa.status = 'ACTIVE'
-    )
 SELECT
   'Ensure that IAM Access analyzer is enabled for all regions (Automated)'
     AS title,
-  account_id,
-  region AS resource_id,
+  ar.account_id,
+  ar.region AS resource_id,
   CASE
-  WHEN aregion.analyzed_region IS NULL AND ar.enabled = true THEN 'fail'
+  WHEN ar.enabled
+  AND aregion.region IS NULL
+  AND aregion.status IS DISTINCT FROM 'ACTIVE'
+  THEN 'fail'
   ELSE 'pass'
   END
     AS status
 FROM
   aws_regions AS ar
-  LEFT JOIN regions_with_enabled_accessanalyzer AS aregion ON
-      ar.region = aregion.analyzed_region;
+  LEFT JOIN aws_accessanalyzer_analyzers AS aregion ON
+      ar.region = aregion.region;
 ```
 
 ### GuardDuty should be enabled
