AWS Config Gard Rule Evaluation

0

Hello folks

I am having a hard time understanding how AWS guard rules that fail and pass are evaluated when used with Config. I wanted to replicate an existing rule that detects public S3 buckets: https://github.com/aws-cloudformation/cloudformation-guard/blob/901d40a6f01553d14adf9ab398c7eec55c2b5a36/guard/resources/rules-dir/s3_bucket_public_read_prohibited.guard

I realized that this rule applies to a cloudformation template. I wanted to apply it to a Config recorded object so i adapted the rule to:

rule isPublicAccessBlockConfigurationBlockSecure when isPublicAccessBlockConfigurationBlockPresent {
  supplementaryConfiguration.PublicAccessBlockConfiguration exists 
  supplementaryConfiguration.PublicAccessBlockConfiguration.blockPublicAcls == true
  supplementaryConfiguration.PublicAccessBlockConfiguration.blockPublicPolicy == true
  supplementaryConfiguration.PublicAccessBlockConfiguration.ignorePublicAcls == true
  supplementaryConfiguration.PublicAccessBlockConfiguration.restrictPublicBuckets == true 
}

When testing this locally (cfn-guard) i got a fail on an open bucket with an explanation along the lines:

Property traversed until [/supplementaryConfiguration] in data [PublicBucketAccess-test-fail.json] is not compliant with [PublicBucketAccess.guard/absentPublicAccessBlockConfigurationBlock] due to retrieval error.

I was under the assumption that if there is a retrieval error, Config marks the resource as non-compliant but it either provides no results or marks it as compliant and does not give any error. However, when i changed to:

rule isBucketToBeSecured when resourceType == "AWS::S3::Bucket" {
  ...some checks...
}
rule isPublicAccessBlockConfigurationBlockPresent when isBucketToBeSecured {
  supplementaryConfiguration.PublicAccessBlockConfiguration exists 
}

rule isPublicAccessBlockConfigurationBlockSecure when isPublicAccessBlockConfigurationBlockPresent {
  supplementaryConfiguration.PublicAccessBlockConfiguration.blockPublicAcls == true
  supplementaryConfiguration.PublicAccessBlockConfiguration.blockPublicPolicy == true
  supplementaryConfiguration.PublicAccessBlockConfiguration.ignorePublicAcls == true
  supplementaryConfiguration.PublicAccessBlockConfiguration.restrictPublicBuckets == true 
}

It now works. Does anyone know why Config has such a strange evaluation mechanism where a failure to retrieve a key gives no compliance results or marks the resources as good to go?

Also, is there a cleaner way to test for the existence of a key before trying to access subkeys without causing a failure. When i used:

rule taggedBucketIsSecure2 when resourceType == "AWS::S3::Bucket" {
  let publicAccessBlockConfiguration = supplementaryConfiguration.PublicAccessBlockConfiguration
  when %publicAccessBlockConfiguration exists {
    supplementaryConfiguration.PublicAccessBlockConfiguration.blockPublicAcls == true
    supplementaryConfiguration.PublicAccessBlockConfiguration.blockPublicPolicy == true
    supplementaryConfiguration.PublicAccessBlockConfiguration.ignorePublicAcls == true
    supplementaryConfiguration.PublicAccessBlockConfiguration.restrictPublicBuckets == true
  }
}

I got:


Rule [PublicBucketAccess.guard/taggedBucketIsSecure2] is not applicable for template [PublicBucketAccess-test-fail.json]

I assume the problem is that since when does not evaluate to true, it skips the evaluation and instead of marking the resource as non-compliant it either fails or marks it as compliant.

Thanks in advance

asked 3 months ago28 views
No Answers

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions