Merge pull request #79 from aws-ia/devel

Scoutsuite automation test
aws-ia · Jan 5, 2024 · 1ffa301 · 1ffa301
2 parents dccf995 + 72b81f7
commit 1ffa301
Show file tree

Hide file tree

Showing 13 changed files with 64 additions and 63 deletions.
diff --git a/.gitignore b/.gitignore
@@ -185,4 +185,10 @@ aggregated_results.txt
 lambda.zip
 
 # Visual Studio Code IDE
-.vscode/
+.vscode/
+
+# Scoutsuite files
+/scoutsuite-report/
+scoutsuite-report.zip
+scoutsuite_sysout.txt
+scoutsuite_s3_filename.txt
diff --git a/.project_automation/functional_tests/entrypoint.sh b/.project_automation/functional_tests/entrypoint.sh
@@ -8,6 +8,9 @@ PROJECT_TYPE_PATH=${BASE_PATH}/projecttype
 
 cd ${PROJECT_PATH}
 
+# Retrieve the AWS account ID and store it in a variable
+AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
+
 cleanup_region() {
     echo "Cleanup running in region: $1"
     export AWS_DEFAULT_REGION=$1
@@ -24,15 +27,16 @@ cleanup_all_regions() {
 }
 
 run_test() {
-    echo "Running e2e test"
+    echo "Running e2e test: $1"
     cleanup_all_regions
     echo $AWS_DEFAULT_REGION
     unset AWS_DEFAULT_REGION
     echo $AWS_DEFAULT_REGION
-    taskcat test run
+    taskcat test run -n -t $1
+    .project_automation/functional_tests/scoutsuite/scoutsuite.sh
 }
 # Run taskcat e2e test
-run_test
+run_test "cfn-abi-lacework-polygraph-multi-org-multi-sub-mapping"
 
 ## Executing ash tool
 

diff --git a/.project_automation/functional_tests/entrypoint_scotsuite.sh b/.project_automation/functional_tests/entrypoint_scotsuite.sh
diff --git a/...bi-cloudtrail-no-encryption-with-kms.json → ...bi-cloudtrail-no-encryption-with-kms.json b/...bi-cloudtrail-no-encryption-with-kms.json → ...bi-cloudtrail-no-encryption-with-kms.json
diff --git a/...ssume-role-lacks-external-id-and-mfa.json → ...ssume-role-lacks-external-id-and-mfa.json b/...ssume-role-lacks-external-id-and-mfa.json → ...ssume-role-lacks-external-id-and-mfa.json
diff --git a/..._tests/abi-scoutsuite-custom-ruleset.json → ...tsuite/abi-scoutsuite-custom-ruleset.json b/..._tests/abi-scoutsuite-custom-ruleset.json → ...tsuite/abi-scoutsuite-custom-ruleset.json
@@ -1,5 +1,5 @@
 {
-    "about": "This is a simplified ruleset intended for use by CDO Securtiy Certifiers and is maintained by Amazon's CloudSecurity team.",
+    "about": "This is a simplified ruleset intended for use with AWS ABI test environments.",
     "rules": {
         "cloudtrail-not-configured.json": [
             {

diff --git a/...al_tests/create-scoutsuite-custom-rule.py → ...outsuite/create-scoutsuite-custom-rule.py b/...al_tests/create-scoutsuite-custom-rule.py → ...outsuite/create-scoutsuite-custom-rule.py
@@ -40,7 +40,7 @@ def create_scoutsuite_custom_rule_file(file_name):
     if not os.path.exists(scoutsuite_cloudtrail_json_file_path):
         # If the file does not exist, create it   
         # Source path
-        src = '.project_automation/functional_tests/'+file_name
+        src = '.project_automation/functional_tests/scoutsuite/'+file_name
         copy_file(src, scoutsuite_cloudtrail_json_file_path)
     else:
         logging.info(f'File {scoutsuite_cloudtrail_json_file_path} already exists')

diff --git a/...lambda_s3_presignedurl/lambda_function.py → ...lambda_s3_presignedurl/lambda_function.py b/...lambda_s3_presignedurl/lambda_function.py → ...lambda_s3_presignedurl/lambda_function.py
diff --git a/...e/lambda_s3_presignedurl/requirements.txt → ...e/lambda_s3_presignedurl/requirements.txt b/...e/lambda_s3_presignedurl/requirements.txt → ...e/lambda_s3_presignedurl/requirements.txt
diff --git a/...ctional_tests/lambda_s3_presignedurl.yaml → ...ts/scoutsuite/lambda_s3_presignedurl.yaml b/...ctional_tests/lambda_s3_presignedurl.yaml → ...ts/scoutsuite/lambda_s3_presignedurl.yaml
diff --git a/...tional_tests/process-scoutsuite-report.py → ...s/scoutsuite/process-scoutsuite-report.py b/...tional_tests/process-scoutsuite-report.py → ...s/scoutsuite/process-scoutsuite-report.py
@@ -81,7 +81,7 @@ def create_lambda_s3_presignedurl():
     '''Function that creates the Lambda function that generates S3 presigned URLs'''
 
     # Create the ZIP deployment package for Lambda
-    lambda_zipped_code = zip_folder_to_bytesio('./.project_automation/functional_tests/lambda_functions/source/lambda_s3_presignedurl')
+    lambda_zipped_code = zip_folder_to_bytesio('./.project_automation/functional_tests/scoutsuite/lambda_functions/source/lambda_s3_presignedurl')
     lambda_zipped_code.seek(0) # Reset the cursor of the BytesIO object to the beginning
 
     s3_client = session.client('s3')
@@ -95,7 +95,7 @@ def create_lambda_s3_presignedurl():
     # Use the session to create a client for CloudFormation
     cf_client = session.client('cloudformation')
 
-    with open('./.project_automation/functional_tests/lambda_s3_presignedurl.yaml', 'r') as file:
+    with open('./.project_automation/functional_tests/scoutsuite/lambda_s3_presignedurl.yaml', 'r') as file:
         template_body = file.read()
     # Check if the stack already exists
     try:
@@ -277,6 +277,8 @@ def upload_scoutsuite_results_zip_to_s3(scoutsuite_zip_file_path, zip_name):
         s3_file_with_key = time_key + '-' + zip_name
         # Upload the Scoutsuite results zip to an S3 bucket
         s3.upload_file(scoutsuite_zip_file_path, bucket_name, s3_file_with_key)
+        with open("scoutsuite_s3_filename.txt", "w") as file:
+            file.write(str(s3_file_with_key))   
 
     except ClientError as error:
         logging.exception (error)

diff --git a/.project_automation/functional_tests/scoutsuite/scoutsuite.sh b/.project_automation/functional_tests/scoutsuite/scoutsuite.sh
@@ -0,0 +1,40 @@
+#!/bin/bash -ex
+
+
+## NOTE: paths may differ when running in a managed task. To ensure behavior is consistent between
+# managed and local tasks always use these variables for the project and project type path
+PROJECT_PATH=${BASE_PATH}/project
+PROJECT_TYPE_PATH=${BASE_PATH}/projecttype
+
+cd ${PROJECT_PATH}
+
+# Retrieve the AWS account ID and store it in a variable
+AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
+
+run_scoutsuite() {
+    #Create Scoutsuite security scan custom rule
+    python3 .project_automation/functional_tests/scoutsuite/create-scoutsuite-custom-rule.py
+    # Execute Scoutsuite security scan
+    scout aws -r us-east-1 --ruleset .project_automation/functional_tests/scoutsuite/abi-scoutsuite-custom-ruleset.json --no-browser --max-rate 5 --max-workers 5 -f
+    # Upload Scoutsuite security scan results to S3 bucket named scoutsuite-results-aws-AWS-ACCOUNT-ID
+    python3 .project_automation/functional_tests/scoutsuite/process-scoutsuite-report.py
+    # Delete taskcat e2e test resources
+    taskcat test clean ALL
+    process_scoutsuite_report
+}
+
+process_scoutsuite_report() {
+    # Check Scoutsuite security scan result for Danger level findings (Non-0 exit code)
+    scoutsuite_sysout_result=$(cat scoutsuite_sysout.txt)
+    scoutsuite_s3_filename=$(cat scoutsuite_s3_filename.txt)
+    rm scoutsuite_sysout.txt
+    rm scoutsuite_s3_filename.txt
+    if [ "$scoutsuite_sysout_result" -ne 0 ]; then       
+        # The value is non-zero, indicating Scoutsuite report needs to be checked for security issues
+        echo "Scoutsuite report contains security issues. For details please check the log messages above or the file $scoutsuite_s3_filename in the S3 bucket named scoutsuite-results-aws-$AWS_ACCOUNT_ID in the AWS test account provided by the ABI team."
+        exit 1 
+    fi
+}
+
+#Run Scoutsuite security test
+run_scoutsuite
diff --git a/scripts/cleanup_config.json b/scripts/cleanup_config.json
@@ -188,5 +188,9 @@
     {
         "Type" : "STACK",
         "Filter" : "tCaT-cfn-abi-lacework-polygraph-"
+    },
+    {
+        "Type" : "STACK",
+        "Filter" : "Lambda-S3-PresignedURL"
     }
 ]