mondoohq · tas50 · Mar 5, 2024 · Feb 26, 2024 · Feb 26, 2024 · Feb 27, 2024
diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt
@@ -84,3 +84,4 @@ vulnerabilityassessmentsettings
 vulnmgmt
 wil
 xssmatchstatement
+deliverychannel
diff --git a/providers/aws/resources/aws.lr b/providers/aws/resources/aws.lr
@@ -2513,6 +2513,8 @@ aws.config {
   recorders() []aws.config.recorder
   // List of AWS Config rules
   rules() []aws.config.rule
+  // List of delivery channels for each region in the account
+  deliveryChannels() []aws.config.deliverychannel
 }
 
 // AWS config rule
@@ -2553,6 +2555,20 @@ private aws.config.recorder @defaults("name region") {
   resourceTypes []string
 }
 
+// AWS config delivery channel
+private aws.config.deliverychannel @defaults("name region") {
+  // Name of the delivery channel
+  name string
+  // S3 bucket name where configuration snapshots are delivered
+  s3BucketName string
+  // Prefix for the S3 bucket where configuration snapshots are delivered
+  s3KeyPrefix string
+  // ARN of the SNS topic that AWS Config delivers notifications to
+  snsTopicARN string
+  // Region for the delivery channel
+  region string
+}
+
 // Amazon Elastic Kubernetes Service (EKS)
 aws.eks {
   // EKS clusters

diff --git a/providers/aws/resources/aws.lr.go b/providers/aws/resources/aws.lr.go
diff --git a/providers/aws/resources/aws.lr.manifest.yaml b/providers/aws/resources/aws.lr.manifest.yaml
@@ -679,6 +679,10 @@ resources:
       desc: |
         Use the `aws.config` resource to assess the configuration of the AWS Config service. The resource provides the `.recorders` field, which returns a list of `aws.config.recorder` resources representing all AWS Config recorders configured across all enabled regions, as well as the `.rules` field, which returns a list of `aws.config.rule` resources representing all AWS Config rules configured across all enabled regions in the account.
     fields:
+      deliveryChannels:
+        min_mondoo_version: 9.0.0
+      deliverychannels:
+        min_mondoo_version: 9.0.0
       recorders: {}
       rules: {}
     min_mondoo_version: 5.15.0
@@ -704,6 +708,22 @@ resources:
           recording == true && lastStatus == "SUCCESS"
         )
       title: Ensure AWS Config is enabled in all regions
+  aws.config.deliverychannel:
+    docs:
+      desc: "The `aws.config.deliverychannel` resource provides fields representing
+        an individual AWS Config delivery channel configured within an account. For
+        usage, read the `aws.config` resource documentation.\n"
+    fields:
+      name: {}
+      region: {}
+      s3BucketName: {}
+      s3KeyPrefix: {}
+      snsTopicARN: {}
+    is_private: true
+    min_mondoo_version: 9.0.0
+    platform:
+      name:
+      - aws
   aws.config.recorder:
     docs:
       desc: "The `aws.config.recorder` resource provides fields representing an individual

diff --git a/providers/aws/resources/aws_config.go b/providers/aws/resources/aws_config.go
@@ -100,6 +100,66 @@ func (a *mqlAwsConfig) getRecorders(conn *connection.AwsConnection) []*jobpool.J
 	return tasks
 }
 
+func (a *mqlAwsConfig) deliveryChannels() ([]interface{}, error) {
+	conn := a.MqlRuntime.Connection.(*connection.AwsConnection)
+	res := []interface{}{}
+	poolOfJobs := jobpool.CreatePool(a.getDeliveryChannels(conn), 5)
+	poolOfJobs.Run()
+
+	if poolOfJobs.HasErrors() {
+		return nil, poolOfJobs.GetErrors()
+	}
+
+	for i := range poolOfJobs.Jobs {
+		res = append(res, poolOfJobs.Jobs[i].Result.([]interface{})...)
+	}
+	return res, nil
+}
+
+func (a *mqlAwsConfig) getDeliveryChannels(conn *connection.AwsConnection) []*jobpool.Job {
+	tasks := make([]*jobpool.Job, 0)
+	regions, err := conn.Regions()
+	if err != nil {
+		return []*jobpool.Job{{Err: err}}
+	}
+
+	for _, region := range regions {
+		regionVal := region
+		f := func() (jobpool.JobResult, error) {
+			log.Debug().Msgf("config>getDeliveryChannels>calling aws with region %s", regionVal)
+
+			svc := conn.ConfigService(regionVal)
+			ctx := context.Background()
+			res := []interface{}{}
+
+			deliveryChannelsParams := &configservice.DescribeDeliveryChannelsInput{}
+			deliveryChannels, err := svc.DescribeDeliveryChannels(ctx, deliveryChannelsParams)
+			if err != nil {
+				return nil, err
+			}
+
+			for _, channel := range deliveryChannels.DeliveryChannels {
+				mqlDeliveryChannel, err := CreateResource(a.MqlRuntime, "aws.config.deliverychannel",
+					map[string]*llx.RawData{
+						"name":         llx.StringDataPtr(channel.Name),
+						"s3BucketName": llx.StringDataPtr(channel.S3BucketName),
+						"s3KeyPrefix":  llx.StringDataPtr(channel.S3KeyPrefix),
+						"snsTopicARN":  llx.StringDataPtr(channel.SnsTopicARN),
+						"region":       llx.StringData(regionVal),
+					})
+				if err != nil {
+					return nil, err
+				}
+				res = append(res, mqlDeliveryChannel)
+			}
+
+			return jobpool.JobResult(res), nil
+		}
+		tasks = append(tasks, jobpool.NewJob(f))
+	}
+	return tasks
+}
+
 func getName(name string, region string) string {
 	return name + "/" + region
 }