Skip to content

feat: Updated UnauthorizedAPICalls pattern to pass CIS v1.2.0 #48

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jan 3, 2023
Merged

feat: Updated UnauthorizedAPICalls pattern to pass CIS v1.2.0 #48

merged 2 commits into from
Jan 3, 2023

Conversation

@dev-slatto
Copy link
Contributor

@dev-slatto dev-slatto commented Dec 16, 2022

Description

According to the documentation of CIS AWS Foundations Benchmark v1.2.0 the pattern for UnauthorizedAPICalls should be {($.errorCode="*UnauthorizedOperation") || ($.errorCode="AccessDenied*")}. As of today it also validates the sourceIP and the eventName, leading to the check of CIS 3.1 to fail.

Motivation and Context

Merging this change will make the module compliant with the documentation of the CIS AWS Foundations Benchmark v1.2.0.

Breaking Changes

No breaking changes. Those users that still want to check for sourceIP and eventName can do so by utilising the control_overrides.

How Has This Been Tested?

  • I have updated at least one of the examples/* to demonstrate and validate my change(s)
  • I have tested and validated these changes using one or more of the provided examples/* projects
  • I have executed pre-commit run -a on my pull request

@dev-slatto
Copy link
Contributor Author

dev-slatto commented Jan 2, 2023

Hey @antonbabenko! 👋🏼
Do you have the time to give this a review? 😄

@antonbabenko antonbabenko changed the title fix: Update UnauthorizedAPICalls pattern feat: Updated UnauthorizedAPICalls pattern to pass CIS v1.2.0 Jan 3, 2023
@antonbabenko
Copy link
Member

antonbabenko commented Jan 3, 2023

@bryantbiggs Do you have any idea what can be the reason and solution for failing CI runs (e.g. this)?

PS: It is hard to come back from vacation... LOL

@bryantbiggs
Copy link
Member

bryantbiggs commented Jan 3, 2023

Yes, it seems something changed recently on GitHub's side. terraform-aws-modules/terraform-aws-rds#467 (comment)

I'll update the workflows today but that PR has the "fix" to avoid this rate limiting

@antonbabenko
Copy link
Member

antonbabenko commented Jan 3, 2023

@dev-slatto Please update this PR with the change Bryant mentioned and we will be good to go with this PR.

Thank you!

@dev-slatto
Copy link
Contributor Author

dev-slatto commented Jan 3, 2023

Ofc! Done @antonbabenko 😉

@antonbabenko antonbabenko merged commit 6901778 into terraform-aws-modules:master Jan 3, 2023
antonbabenko pushed a commit that referenced this pull request Jan 3, 2023
@semantic-release-bot
chore(release): version 4.1.0 [skip ci]
ef8a0aa 
## [4.1.0](v4.0.0...v4.1.0) (2023-01-03)

### Features

* Updated UnauthorizedAPICalls pattern to pass CIS v1.2.0 ([#48](#48)) ([6901778](6901778))
@antonbabenko
Copy link
Member

antonbabenko commented Jan 3, 2023

This PR is included in version 4.1.0 🎉

@github-actions
Copy link

github-actions bot commented Feb 3, 2023

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 3, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dev-slatto @antonbabenko @bryantbiggs