feat(configservice): test if aws config is enabled

README.md

@@ -241,6 +241,9 @@ The available log levels are: `debug`, `info`, `warn`, `error`, `fatal`, `panic`
 - AWS_VPC_006 VPC's Subnets are in different zones
 - AWS_VPC_007 VPC have public and private subnets
 
+### AWS Config
+- AWS_CFG_001 AWS Config is enabled in the account
+
 <!-- END_YATAS -->
 
 ## How to add a new test ?

aws/configservice/configservice.go

@@ -0,0 +1,32 @@
+package configservice
+
+import (
+	"sync"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/padok-team/yatas/plugins/commons"
+)
+
+func RunChecks(wa *sync.WaitGroup, s aws.Config, c *commons.Config, queue chan []commons.Check) {
+
+	var checkConfig commons.CheckConfig
+	checkConfig.Init(c)
+	var checks []commons.Check
+	configurationRecorderStatus := GetConfigurationRecorderStatus(s)
+
+	go commons.CheckTest(checkConfig.Wg, c, "AWS_CFG_001", CheckIfConfigServiceIsEnabled)(checkConfig, "AWS_CFG_001", configurationRecorderStatus)
+
+	go func() {
+		for t := range checkConfig.Queue {
+			t.EndCheck()
+			checks = append(checks, t)
+
+			checkConfig.Wg.Done()
+
+		}
+	}()
+
+	checkConfig.Wg.Wait()
+
+	queue <- checks
+}

aws/configservice/configserviceEnabled.go

@@ -0,0 +1,27 @@
+package configservice
+
+import (
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/configservice/types"
+	"github.com/padok-team/yatas/plugins/commons"
+)
+
+func CheckIfConfigServiceIsEnabled(checkConfig commons.CheckConfig, testName string, configurationRecorderStatus []types.ConfigurationRecorderStatus) {
+	var check commons.Check
+	check.InitCheck("AWS Config is enabled in the account", "Check if AWS Config is enabled", testName, []string{"Security", "Good Practice"})
+
+	Message := "AWS Config is not enabled"
+	result := commons.Result{Status: "FAIL", Message: Message}
+
+	for _, recorderStatus := range configurationRecorderStatus {
+		if aws.ToBool(&recorderStatus.Recording) {
+			Message = "AWS Config is enabled"
+			result = commons.Result{Status: "OK", Message: Message}
+			break
+		}
+	}
+
+	check.AddResult(result)
+
+	checkConfig.Queue <- check
+}

aws/configservice/configserviceEnabled_test.go

@@ -0,0 +1,97 @@
+package configservice
+
+import (
+	"testing"
+
+	"github.com/aws/aws-sdk-go-v2/service/configservice/types"
+	"github.com/padok-team/yatas/plugins/commons"
+)
+
+func TestCheckIfConfigServiceIsEnabled(t *testing.T) {
+	t.Run("AWS Config is not enabled (empty recorder status)", func(t *testing.T) {
+		queue := make(chan commons.Check, 1)
+		checkConfig := commons.CheckConfig{Queue: queue}
+		configurationRecorderStatus := []types.ConfigurationRecorderStatus{}
+
+		CheckIfConfigServiceIsEnabled(checkConfig, "TestAWSConfigDisabled", configurationRecorderStatus)
+
+		check := <-queue
+		if len(check.Results) != 1 {
+			t.Fatalf("Expected 1 result, got %d", len(check.Results))
+		}
+		result := check.Results[0]
+		if result.Status != "FAIL" {
+			t.Errorf("Expected status FAIL, got %s", result.Status)
+		}
+		if result.Message != "AWS Config is not enabled" {
+			t.Errorf("Expected message 'AWS Config is not enabled', got '%s'", result.Message)
+		}
+	})
+
+	t.Run("AWS Config is enabled (Recording is true)", func(t *testing.T) {
+		queue := make(chan commons.Check, 1)
+		checkConfig := commons.CheckConfig{Queue: queue}
+		configurationRecorderStatus := []types.ConfigurationRecorderStatus{
+			{Recording: true},
+		}
+
+		CheckIfConfigServiceIsEnabled(checkConfig, "TestAWSConfigEnabled", configurationRecorderStatus)
+
+		check := <-queue
+		if len(check.Results) != 1 {
+			t.Fatalf("Expected 1 result, got %d", len(check.Results))
+		}
+		result := check.Results[0]
+		if result.Status != "OK" {
+			t.Errorf("Expected status OK, got %s", result.Status)
+		}
+		if result.Message != "AWS Config is enabled" {
+			t.Errorf("Expected message 'AWS Config is enabled', got '%s'", result.Message)
+		}
+	})
+
+	t.Run("AWS Config is not enabled (Recording is false)", func(t *testing.T) {
+		queue := make(chan commons.Check, 1)
+		checkConfig := commons.CheckConfig{Queue: queue}
+		configurationRecorderStatus := []types.ConfigurationRecorderStatus{
+			{Recording: false},
+		}
+
+		CheckIfConfigServiceIsEnabled(checkConfig, "TestAWSConfigDisabledFalse", configurationRecorderStatus)
+
+		check := <-queue
+		if len(check.Results) != 1 {
+			t.Fatalf("Expected 1 result, got %d", len(check.Results))
+		}
+		result := check.Results[0]
+		if result.Status != "FAIL" {
+			t.Errorf("Expected status FAIL, got %s", result.Status)
+		}
+		if result.Message != "AWS Config is not enabled" {
+			t.Errorf("Expected message 'AWS Config is not enabled', got '%s'", result.Message)
+		}
+	})
+
+	t.Run("AWS Config is enabled with at least one Recording as true", func(t *testing.T) {
+		queue := make(chan commons.Check, 1)
+		checkConfig := commons.CheckConfig{Queue: queue}
+		configurationRecorderStatus := []types.ConfigurationRecorderStatus{
+			{Recording: true},
+			{Recording: false},
+		}
+
+		CheckIfConfigServiceIsEnabled(checkConfig, "TestAWSConfigEnabled", configurationRecorderStatus)
+
+		check := <-queue
+		if len(check.Results) != 1 {
+			t.Fatalf("Expected 1 result, got %d", len(check.Results))
+		}
+		result := check.Results[0]
+		if result.Status != "OK" {
+			t.Errorf("Expected status OK, got %s", result.Status)
+		}
+		if result.Message != "AWS Config is enabled" {
+			t.Errorf("Expected message 'AWS Config is enabled', got '%s'", result.Message)
+		}
+	})
+}

aws/configservice/getter.go

@@ -0,0 +1,21 @@
+package configservice
+
+import (
+	"context"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/configservice"
+	"github.com/aws/aws-sdk-go-v2/service/configservice/types"
+	"github.com/padok-team/yatas-aws/logger"
+)
+
+func GetConfigurationRecorderStatus(s aws.Config) []types.ConfigurationRecorderStatus {
+	svc := configservice.NewFromConfig(s)
+	result, err := svc.DescribeConfigurationRecorderStatus(context.TODO(), &configservice.DescribeConfigurationRecorderStatusInput{})
+	if err != nil {
+		logger.Logger.Error(err.Error())
+		return []types.ConfigurationRecorderStatus{}
+	}
+
+	return result.ConfigurationRecordersStatus
+}

go.mod

@@ -12,6 +12,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.46.3
 	github.com/aws/aws-sdk-go-v2/service/cognitoidentity v1.27.8
 	github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider v1.48.1
+	github.com/aws/aws-sdk-go-v2/service/configservice v1.51.1
 	github.com/aws/aws-sdk-go-v2/service/dynamodb v1.38.0
 	github.com/aws/aws-sdk-go-v2/service/ec2 v1.198.0
 	github.com/aws/aws-sdk-go-v2/service/ecr v1.36.7

go.sum

@@ -30,6 +30,8 @@ github.com/aws/aws-sdk-go-v2/service/cognitoidentity v1.27.8 h1:mgVSYWMnSZ6QTeCd
 github.com/aws/aws-sdk-go-v2/service/cognitoidentity v1.27.8/go.mod h1:eVAaMRWHgjdGuTJCjlmcwYleskahesLPrGFV4MpQYvA=
 github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider v1.48.1 h1:qMJk1I55avN/vN+51rPdE0dLgkhWrlU6Cw0Wg34eQvM=
 github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider v1.48.1/go.mod h1:U+GnB0KkXI5SgVMzW2J1FHMGbAiObr1XaIGZSMejLlI=
+github.com/aws/aws-sdk-go-v2/service/configservice v1.51.1 h1:zA4KArT5FZ4ypJc8X+7MJNN3iv74K8ygmFhci64M4YI=
+github.com/aws/aws-sdk-go-v2/service/configservice v1.51.1/go.mod h1:2fOznUkaoZ2EtJimN0zizQRxQmkndSJz/SSd2x0goKo=
 github.com/aws/aws-sdk-go-v2/service/dynamodb v1.38.0 h1:isKhHsjpQR3CypQJ4G1g8QWx7zNpiC/xKw1zjgJYVno=
 github.com/aws/aws-sdk-go-v2/service/dynamodb v1.38.0/go.mod h1:xDvUyIkwBwNtVZJdHEwAuhFly3mezwdEWkbJ5oNYwIw=
 github.com/aws/aws-sdk-go-v2/service/ec2 v1.198.0 h1:ivPJXmGlzAjgy0jLO9naExUWE8IM8lLRcRKLPBEx6Q0=

main.go

@@ -17,6 +17,7 @@ import (
 	"github.com/padok-team/yatas-aws/aws/cloudfront"
 	"github.com/padok-team/yatas-aws/aws/cloudtrail"
 	"github.com/padok-team/yatas-aws/aws/cognito"
+	"github.com/padok-team/yatas-aws/aws/configservice"
 	"github.com/padok-team/yatas-aws/aws/dynamodb"
 	"github.com/padok-team/yatas-aws/aws/ec2"
 	"github.com/padok-team/yatas-aws/aws/ecr"
@@ -177,6 +178,7 @@ func initTest(s aws.Config, c *commons.Config, a internal.AWS_Account) commons.T
 	go commons.CheckMacroTest(&wg, c, guardduty.RunChecks)(&wg, s, c, queue)
 	go commons.CheckMacroTest(&wg, c, iam.RunChecks)(&wg, s, c, queue)
 	go commons.CheckMacroTest(&wg, c, eks.RunChecks)(&wg, s, c, queue)
+	go commons.CheckMacroTest(&wg, c, configservice.RunChecks)(&wg, s, c, queue)
 
 	go func() {
 		for t := range queue {