Merge pull request #2062 from AkhtarAmir/H-plugin/aws-qldb-ledger-has…

…-tags H-plugin QLDB Ledger Has Tags
aquasecurity · Sep 18, 2024 · a21e9bc · a21e9bc
2 parents 81ed022 + 2941bf0
commit a21e9bc
Show file tree

Hide file tree

Showing 3 changed files with 169 additions and 0 deletions.
diff --git a/exports.js b/exports.js
@@ -498,6 +498,7 @@ module.exports = {
         'ssmSessionDuration'            : require(__dirname + '/plugins/aws/ssm/ssmSessionDuration'),
 
         'ledgerEncrypted'               : require(__dirname + '/plugins/aws/qldb/ledgerEncrypted'),
+        'ledgerHasTags'                 : require(__dirname + '/plugins/aws/qldb/ledgerHasTags'),
         'ledgerDeletionProtection'      : require(__dirname + '/plugins/aws/qldb/ledgerDeletionProtection'),
 
         'lambdaAdminPrivileges'         : require(__dirname + '/plugins/aws/lambda/lambdaAdminPrivileges.js'),

diff --git a/plugins/aws/qldb/ledgerHasTags.js b/plugins/aws/qldb/ledgerHasTags.js
@@ -0,0 +1,58 @@
+var async = require('async');
+var helpers = require('../../../helpers/aws');
+
+module.exports = {
+    title: 'Ledger Has Tags',
+    category: 'QLDB',
+    domain: 'Databases',
+    severity: 'Low',
+    description: 'Ensure that AWS QLDB ledgers have tags associated.',
+    more_info: 'Tags help you to group resources together that are related to or associated with each other. It is a best practice to tag cloud resources to better organize and gain visibility into their usage.',
+    recommended_action: 'Modify QLDB ledger and add tags.',
+    link: 'https://docs.aws.amazon.com/qldb/latest/developerguide/tagging.html',
+    apis: ['QLDB:listLedgers','ResourceGroupsTaggingAPI:getResources','STS:getCallerIdentity'],
+    realtime_triggers: ['qldb:CreateLedger', 'qldb:DeleteLedger', 'qldb:TagResource', 'qldb:UntagResource'], 
+
+    run: function(cache, settings, callback) {
+        var results = [];
+        var source = {};
+        var regions = helpers.regions(settings);
+
+        var defaultRegion = helpers.defaultRegion(settings);
+        var awsOrGov = helpers.defaultPartition(settings);
+        var accountId = helpers.addSource(cache, source, ['sts', 'getCallerIdentity', defaultRegion, 'data']);
+
+        async.each(regions.qldb, function(region, rcb){        
+            var listLedgers = helpers.addSource(cache, source,
+                ['qldb', 'listLedgers', region]);
+
+            if (!listLedgers) return rcb();
+
+            if (listLedgers.err || !listLedgers.data) {
+                helpers.addResult(results, 3,
+                    'Unable to query QLDB ledgers: ' + helpers.addError(listLedgers), region);
+                return rcb();
+            }
+
+            if (!listLedgers.data.length) {
+                helpers.addResult(results, 0, 'No QLDB ledgers found', region);
+                return rcb();
+            }
+
+            const arnList = [];
+
+            for (let ledger of listLedgers.data) {
+                if (!ledger.Name) continue;
+
+                let resource = `arn:${awsOrGov}:qldb:${region}:${accountId}:ledger/${ledger.Name}`;
+                arnList.push(resource);
+            }
+
+            helpers.checkTags(cache, 'QLDB ledger', arnList, region, results, settings);
+
+            rcb();
+        }, function(){
+            callback(null, results, source);
+        });
+    }
+};
diff --git a/plugins/aws/qldb/ledgerHasTags.spec.js b/plugins/aws/qldb/ledgerHasTags.spec.js
@@ -0,0 +1,110 @@
+var expect = require('chai').expect;
+var ledgerHasTags = require('./ledgerHasTags');
+
+const listLedgers = [   
+    {
+        "Name": "test-ledger",
+        "State": "ACTIVE",
+        "CreationDateTime": "2021-11-19T16:29:08.899000+05:00" 
+    } 
+];
+
+const getResources = [
+    {
+        "ResourceARN": "arn:aws:qldb:us-east-1:000111222333:ledger/test-ledger",
+        "Tags": [],
+    },
+     {
+        "ResourceARN": "arn:aws:qldb:us-east-1:000111222333:ledger/test-ledger",
+        "Tags": [{key: 'value'}],
+    }
+]
+
+const createCache = (ledgers, rgData, ledgersErr) => {
+    var name = (ledgers && ledgers.length) ? ledgers[0].Name: null;
+    return {
+        qldb: {
+            listLedgers: {
+                'us-east-1': {
+                    err: ledgersErr,
+                    data: ledgers
+                },
+            },
+        },
+        resourcegroupstaggingapi: {
+            getResources: {
+                'us-east-1':{
+                    err: null,
+                    data: rgData
+                }
+            }
+        },
+        sts: {
+            getCallerIdentity: {
+                'us-east-1': {
+                    data: '000111222333'
+                }
+            }
+        }
+    };
+};
+
+describe('ledgerHasTags', function () {
+    describe('run', function () {
+        it('should PASS if QLDB ledger has tags', function (done) {
+            const cache = createCache(listLedgers, [getResources[1]]);
+            ledgerHasTags.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].region).to.equal('us-east-1');
+                expect(results[0].message).to.include('QLDB ledger has tags');
+                done();
+            });
+        });
+
+        it('should FAIL if QLDb ledger does not have tags', function (done) {
+            const cache = createCache(listLedgers, [getResources[0]]);
+            ledgerHasTags.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(2);
+                expect(results[0].region).to.equal('us-east-1');
+                expect(results[0].message).to.include('QLDB ledger does not have any tags');
+                done();
+            });
+        });
+
+        it('should PASS if no QLDB ledgers found', function (done) {
+            const cache = createCache([]);
+            ledgerHasTags.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].region).to.equal('us-east-1');
+                expect(results[0].message).to.include('No QLDB ledgers found');
+                done();
+            });
+        });
+
+        it('should UNKNOWN if unable to list  QLDB ledgers', function (done) {
+            const cache = createCache(null, null, null, { message: "Unable to list QLDB ledgers" });
+            ledgerHasTags.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(3);
+                expect(results[0].region).to.equal('us-east-1');
+                expect(results[0].message).to.include('Unable to query QLDB ledgers');
+                done();
+            });
+        });
+
+        it('should give unknown result if unable to query resource group tagging api', function (done) {
+            const cache = createCache([listLedgers[0]],null);
+            ledgerHasTags.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(3);
+                expect(results[0].region).to.equal('us-east-1');
+                expect(results[0].message).to.include('Unable to query all resources')
+                done();
+            });
+        });
+
+    });
+})