bug: elb/elbv1_https_predefined_policy.sql always has not refer 'Reference-Security-Policy' #13769
Description
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
ELB.8 control.
aws_elbv1_load_balancers.policies->'OtherPolicies' has user customed name value.
We needs to get Reference-Security-Policy value in aws_elbv1_load_balancer_policies table in order to match predefined policy name.
Expected Behavior
Patch it works:
diff --git a/plugins/source/aws/policies/queries/elb/elbv1_https_predefined_policy.sql b/plugins/source/aws/policies/queries/elb/elbv1_https_predefined_policy.sql
index eb2dee429..040240f11 100644
--- a/plugins/source/aws/policies/queries/elb/elbv1_https_predefined_policy.sql
+++ b/plugins/source/aws/policies/queries/elb/elbv1_https_predefined_policy.sql
@@ -1,15 +1,51 @@
insert into aws_policy_results
+-- select
+-- :'execution_time' as execution_time,
+-- :'framework' as framework,
+-- :'check_id' as check_id,
+-- 'Classic Load Balancers with HTTPS/SSL listeners should use a predefined security policy that has strong configuration' as title,
+-- lb.account_id,
+-- lb.arn as resource_id,
+-- case when
+-- li->'Listener'->>'Protocol' in ('HTTPS', 'SSL')
+-- and 'ELBSecurityPolicy-TLS-1-2-2017-01' != any( ARRAY(SELECT JSONB_ARRAY_ELEMENTS_TEXT(lb.policies->'OtherPolicies')) )
+-- then 'fail'
+-- else 'pass'
+-- end as status
+-- from aws_elbv1_load_balancers lb, jsonb_array_elements(lb.listener_descriptions) as li
+
+with flatten_listener_policy_names as (
+ select
+ account_id,
+ arn,
+ li->'Listener'->>'Protocol' as protocol,
+ JSONB_ARRAY_ELEMENTS_TEXT(li->'PolicyNames') as policy_name
+ from aws_elbv1_load_balancers lb, jsonb_array_elements(lb.listener_descriptions) as li
+),
+reference_security_policies as (
+ select
+ load_balancer_arn,
+ policy_name,
+ policy_attribute_descriptions->>'Reference-Security-Policy' as reference_security_policy_name
+ from aws_elbv1_load_balancer_policies
+),
+violations as (
+ select
+ t1.account_id,
+ t1.arn
+ from flatten_listener_policy_names t1
+ left join reference_security_policies t2
+ on (t1.policy_name = t2.policy_name)
+ where t1.protocol in ('HTTPS', 'SSL')
+ and t2.reference_security_policy_name != 'ELBSecurityPolicy-TLS-1-2-2017-01'
+ group by t1.account_id, t1.arn
+)
select
- :'execution_time' as execution_time,
- :'framework' as framework,
- :'check_id' as check_id,
- 'Classic Load Balancers with HTTPS/SSL listeners should use a predefined security policy that has strong configuration' as title,
- lb.account_id,
- lb.arn as resource_id,
- case when
- li->'Listener'->>'Protocol' in ('HTTPS', 'SSL')
- and 'ELBSecurityPolicy-TLS-1-2-2017-01' != any( ARRAY(SELECT JSONB_ARRAY_ELEMENTS_TEXT(lb.policies->'OtherPolicies')) )
- then 'fail'
- else 'pass'
- end as status
-from aws_elbv1_load_balancers lb, jsonb_array_elements(lb.listener_descriptions) as li
\ No newline at end of file
+ :'execution_time' as execution_time,
+ :'framework' as framework,
+ :'check_id' as check_id,
+ 'Classic Load Balancers with HTTPS/SSL listeners should use a predefined security policy that has strong configuration' as title,
+ account_id,
+ arn as resource_id,
+ 'fail' as status
+from violations
\ No newline at end of file
CloudQuery (redacted) config
N/A
Steps To Reproduce
No response
CloudQuery (redacted) logs
N/A
CloudQuery version
main
Additional Context
No response
Pull request (optional)
- I can submit a pull request