-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(eventbridge): add EventBridge checks #4020
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #4020 +/- ##
==========================================
- Coverage 86.34% 86.29% -0.05%
==========================================
Files 778 783 +5
Lines 24368 24537 +169
==========================================
+ Hits 21040 21175 +135
- Misses 3328 3362 +34 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great job @sergargar 👏 Please review my comments when you get a chance, thanks!
...idge/eventbridge_bus_cross_account_access/eventbridge_bus_cross_account_access.metadata.json
Show resolved
Hide resolved
...idge/eventbridge_bus_cross_account_access/eventbridge_bus_cross_account_access.metadata.json
Outdated
Show resolved
Hide resolved
...ces/eventbridge/eventbridge_bus_cross_account_access/eventbridge_bus_cross_account_access.py
Outdated
Show resolved
Hide resolved
"CheckTitle": "Ensure that your AWS EventBridge event bus is not exposed to everyone", | ||
"CheckType": [], | ||
"ServiceName": "eventbridge", | ||
"SubServiceName": "", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"SubServiceName": "", | |
"SubServiceName": "eventbus", |
maybe?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is that not a resource type?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yep, could be.
...iders/aws/services/eventbridge/eventbridge_bus_exposed/eventbridge_bus_exposed.metadata.json
Outdated
Show resolved
Hide resolved
...idge/eventbridge_bus_cross_account_access/eventbridge_bus_cross_account_access.metadata.json
Show resolved
Hide resolved
...dge_schema_registry_cross_account_access/eventbridge_schema_registry_cross_account_access.py
Outdated
Show resolved
Hide resolved
prowler/providers/aws/services/eventbridge/eventbridge_service.py
Outdated
Show resolved
Hide resolved
prowler/providers/aws/services/eventbridge/eventbridge_service.py
Outdated
Show resolved
Hide resolved
prowler/providers/aws/services/eventbridge/eventbridge_service.py
Outdated
Show resolved
Hide resolved
prowler/providers/aws/lib/iam/iam.py
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what if we put this into the IAM service folder like prowler/providers/aws/services/iam/lib/policy.py
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add tests for this function not just the ones used in the checks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
...idge/eventbridge_bus_cross_account_access/eventbridge_bus_cross_account_access.metadata.json
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great job @sergargar 👏
Description
Add the following EventBridge checks:
eventbridge_bus_exposed
: Ensure that your AWS EventBridge event bus is not exposed to everyone.eventbridge_bus_cross_account_access
: Ensure that AWS EventBridge event buses do not allow unknown cross-account access for the delivery of events.eventbridge_schema_registry_cross_account_access
: Ensure that access to EventBridge schema registries is restricted to accounts within your AWS Organization or specifically authorized accounts.License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.