Merge pull request #115 from cloudgraphdev/fix/CG-1328-for-aws-cis-rule-215

fix(CG-1328): add account level s3 public access block for the rule c…

Author: tyler-dunkel

src/services/s3/data.ts

@@ -1,10 +1,12 @@
 import CloudGraph from '@cloudgraph/sdk'
 import groupBy from 'lodash/groupBy'
 import isEmpty from 'lodash/isEmpty'
+import AWS from 'aws-sdk'
 
 import { AWSError } from 'aws-sdk/lib/error'
 import { Config } from 'aws-sdk/lib/config'
 import S3, {
+  AccountId,
   Bucket,
   BucketAccelerateStatus,
   BucketLocationConstraint,
@@ -61,6 +63,30 @@ export const awsBucketItemsLimit = 1000
 export const publicBucketGrant =
   'http://acs.amazonaws.com/groups/global/AllUsers'
 
+const getAccountPublicAccessBlock = async ({
+  region,
+  accountId,
+}: {
+  region: string,
+  accountId: AccountId,
+}) =>
+  new Promise<PublicAccessBlockConfiguration | any>(resolve => {
+    const s3Control = new AWS.S3Control({
+      region: region,
+    })
+    s3Control.getPublicAccessBlock(
+      {
+        AccountId: accountId,
+      },
+      (err: AWSError, data: GetPublicAccessBlockOutput) => {
+        if (!isEmpty(data)) {
+          resolve(data.PublicAccessBlockConfiguration)
+        }
+        resolve({})
+      }
+    )
+  })
+
 const getBucketAcl = async (s3: S3, name: BucketName) =>
   new Promise<GetBucketAclOutput>(resolve => {
     s3.getBucketAcl(
@@ -496,14 +522,20 @@ export interface RawAwsS3 {
   Id: string
   Name: string
   region: string
+  AccountLevelBlockPublicAcls?: boolean
+  AccountLevelIgnorePublicAcls?: boolean
+  AccountLevelBlockPublicPolicy?: boolean
+  AccountLevelRestrictPublicBuckets?: boolean
 }
 
 export default async ({
   regions,
   config,
+  account,
 }: {
   regions: string
   config: Config
+  account: string
 }): Promise<{
   [region: string]: RawAwsS3[]
 }> =>
@@ -514,7 +546,19 @@ export default async ({
     const additionalInfoPromises = []
 
     regions.split(',').map((region: BucketLocationConstraint) => {
+      // TODO: temp implementation to add account level public access block to bucket level
+      // need to find a better place/way to put the data
       const regionPromise = new Promise<void>(async resolveRegion => {
+        const {
+          BlockPublicAcls,
+          IgnorePublicAcls,
+          BlockPublicPolicy,
+          RestrictPublicBuckets,
+        } = await getAccountPublicAccessBlock({
+          region,
+          accountId: account,
+        });
+
         const s3 = new S3({
           ...config,
           region,
@@ -538,6 +582,10 @@ export default async ({
                 region,
                 CreationDate: bucket.CreationDate,
                 Tags: {},
+                AccountLevelBlockPublicAcls: BlockPublicAcls,
+                AccountLevelIgnorePublicAcls: IgnorePublicAcls,
+                AccountLevelBlockPublicPolicy: BlockPublicPolicy,
+                AccountLevelRestrictPublicBuckets: RestrictPublicBuckets,
               })
             }
           })

src/services/s3/format.ts

@@ -33,6 +33,10 @@ export default ({
     Name: name,
     Contents: bucketContents = [],
     Tags: tags = {},
+    AccountLevelBlockPublicAcls: accountLevelBlockPublicAcls,
+    AccountLevelIgnorePublicAcls: accountLevelIgnorePublicAcls,
+    AccountLevelBlockPublicPolicy: accountLevelBlockPublicPolicy,
+    AccountLevelRestrictPublicBuckets: accountLevelRestrictPublicBuckets,
     AdditionalInfo: {
       AccelerationConfig: accelerationStatus,
       BucketOwnerData: { DisplayName: bucketOwnerName },
@@ -279,6 +283,10 @@ export default ({
     requesterPays: reqPaymentConfig === 'Requester' ? t.enabled : t.disabled,
     size,
     tags: s3Tags,
+    accountLevelBlockPublicAcls: accountLevelBlockPublicAcls ? t.yes : t.no,
+    accountLevelIgnorePublicAcls: accountLevelIgnorePublicAcls ? t.yes : t.no,
+    accountLevelBlockPublicPolicy: accountLevelBlockPublicPolicy ? t.yes : t.no,
+    accountLevelRestrictPublicBuckets: accountLevelRestrictPublicBuckets ? t.yes : t.no,
     totalNumberOfObjectsInBucket: greaterThanTotalLimit
       ? `${awsBucketItemsLimit}+`
       : `${total}`,

src/services/s3/schema.graphql

@@ -81,6 +81,10 @@ type awsS3 implements awsBaseService @key(fields: "arn") {
   bucketOwnerName: String @search(by: [hash, regexp])
   requesterPays: String @search(by: [hash, regexp])
   size: String @search(by: [hash, regexp])
+  accountLevelBlockPublicAcls: String @search(by: [hash, regexp])
+  accountLevelIgnorePublicAcls: String @search(by: [hash, regexp])
+  accountLevelBlockPublicPolicy: String @search(by: [hash, regexp])
+  accountLevelRestrictPublicBuckets: String @search(by: [hash, regexp])
   totalNumberOfObjectsInBucket: String @search(by: [hash, regexp])
   transferAcceleration: String @search(by: [hash, regexp])
   corsConfiguration: String @search(by: [hash, regexp])

src/types/generated.ts

@@ -3871,6 +3871,10 @@ export type AwsRouteTable = AwsBaseService & {
 
 export type AwsS3 = AwsBaseService & {
   access?: Maybe<Scalars['String']>;
+  accountLevelBlockPublicAcls?: Maybe<Scalars['String']>;
+  accountLevelBlockPublicPolicy?: Maybe<Scalars['String']>;
+  accountLevelIgnorePublicAcls?: Maybe<Scalars['String']>;
+  accountLevelRestrictPublicBuckets?: Maybe<Scalars['String']>;
   aclGrants?: Maybe<Array<Maybe<AwsS3AclGrant>>>;
   blockPublicAcls?: Maybe<Scalars['String']>;
   blockPublicPolicy?: Maybe<Scalars['String']>;