-
Notifications
You must be signed in to change notification settings - Fork 668
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added AWS 'RDS Deletion Protection Enabled' plugin and test cases
- Loading branch information
1 parent
a3dcef2
commit f972686
Showing
3 changed files
with
159 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
var async = require('async'); | ||
var helpers = require('../../../helpers/aws'); | ||
|
||
module.exports = { | ||
title: 'RDS Deletion Protection Enabled', | ||
category: 'RDS', | ||
description: 'Ensures deletion protection is enabled for RDS database instances.', | ||
more_info: 'Deletion protection prevents Amazon RDS instances from being deleted accidentally by any user.', | ||
link: 'https://aws.amazon.com/about-aws/whats-new/2018/09/amazon-rds-now-provides-database-deletion-protection/', | ||
recommended_action: 'Modify the RDS instances to enable deletion protection.', | ||
apis: ['RDS:describeDBInstances'], | ||
|
||
run: function(cache, settings, callback) { | ||
var results = []; | ||
var source = {}; | ||
var regions = helpers.regions(settings); | ||
|
||
async.each(regions.rds, function(region, rcb) { | ||
var describeDBInstances = helpers.addSource(cache, source, | ||
['rds', 'describeDBInstances', region]); | ||
|
||
if (!describeDBInstances) return rcb(); | ||
|
||
if (describeDBInstances.err || !describeDBInstances.data) { | ||
helpers.addResult(results, 3, | ||
'Unable to query for RDS instances: ' + helpers.addError(describeDBInstances), region); | ||
return rcb(); | ||
} | ||
|
||
if (!describeDBInstances.data.length) { | ||
helpers.addResult(results, 0, 'No RDS instances found', region); | ||
return rcb(); | ||
} | ||
|
||
describeDBInstances.data.forEach(instance => { | ||
if (!instance.DBInstanceArn) return; | ||
|
||
if (instance.DeletionProtection) { | ||
helpers.addResult(results, 0, | ||
'RDS instance has deletion protection enabled', region, instance.DBInstanceArn); | ||
} else { | ||
helpers.addResult(results, 2, | ||
'RDS instance does not have deletion protection enabled', region, instance.DBInstanceArn); | ||
} | ||
}); | ||
|
||
rcb(); | ||
}, function() { | ||
callback(null, results, source); | ||
}); | ||
} | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,106 @@ | ||
const expect = require('chai').expect; | ||
var rdsDeletionProtectionEnabled = require('./rdsDeletionProtectionEnabled'); | ||
|
||
const describeDBInstances = [ | ||
{ | ||
"DBInstanceIdentifier": "database-1", | ||
"Engine": "mysql", | ||
"DBInstanceStatus": "available", | ||
"DBInstanceArn": "arn:aws:rds:us-east-1:560213429563:db:database-1", | ||
"IAMDatabaseAuthenticationEnabled": false, | ||
"PerformanceInsightsEnabled": false, | ||
"DeletionProtection": true, | ||
"AssociatedRoles": [], | ||
"TagList": [], | ||
"CustomerOwnedIpEnabled": false | ||
}, | ||
{ | ||
"DBInstanceIdentifier": "database-1", | ||
"Engine": "mysql", | ||
"DBInstanceStatus": "available", | ||
"DBInstanceArn": "arn:aws:rds:us-east-1:560213429563:db:database-1", | ||
"IAMDatabaseAuthenticationEnabled": false, | ||
"PerformanceInsightsEnabled": false, | ||
"DeletionProtection": false, | ||
"AssociatedRoles": [], | ||
"TagList": [], | ||
"CustomerOwnedIpEnabled": false | ||
} | ||
]; | ||
|
||
const createCache = (instanceData, instanceErr) => { | ||
return { | ||
rds: { | ||
describeDBInstances: { | ||
'us-east-1': { | ||
data: instanceData, | ||
err: instanceErr | ||
} | ||
} | ||
} | ||
}; | ||
}; | ||
|
||
const createNullCache = () => { | ||
return { | ||
rds: { | ||
describeDBInstances: { | ||
'us-east-1': null | ||
} | ||
} | ||
}; | ||
}; | ||
|
||
describe('rdsDeletionProtectionEnabled', function () { | ||
describe('run', function () { | ||
|
||
it('should PASS if RDS instance has deletion protection enabled', function (done) { | ||
const cache = createCache([describeDBInstances[0]]); | ||
rdsDeletionProtectionEnabled.run(cache, {}, (err, results) => { | ||
expect(results.length).to.equal(1); | ||
expect(results[0].status).to.equal(0); | ||
expect(results[0].region).to.equal('us-east-1'); | ||
done(); | ||
}); | ||
}); | ||
|
||
it('should FAIL if RDS instance does not have deletion protection enabled', function (done) { | ||
const cache = createCache([describeDBInstances[1]]); | ||
rdsDeletionProtectionEnabled.run(cache, {}, (err, results) => { | ||
expect(results.length).to.equal(1); | ||
expect(results[0].status).to.equal(2); | ||
expect(results[0].region).to.equal('us-east-1'); | ||
done(); | ||
}); | ||
}); | ||
|
||
it('should PASS if no RDS instances found', function (done) { | ||
const cache = createCache([]); | ||
rdsDeletionProtectionEnabled.run(cache, {}, (err, results) => { | ||
expect(results.length).to.equal(1); | ||
expect(results[0].status).to.equal(0); | ||
expect(results[0].region).to.equal('us-east-1'); | ||
done(); | ||
}); | ||
}); | ||
|
||
it('should UNKNOWN if unable to describe RDS instances', function (done) { | ||
const cache = createCache([], { message: 'Unable to describe instances' }); | ||
rdsDeletionProtectionEnabled.run(cache, {}, (err, results) => { | ||
expect(results.length).to.equal(1); | ||
expect(results[0].status).to.equal(3); | ||
expect(results[0].region).to.equal('us-east-1'); | ||
done(); | ||
}); | ||
}); | ||
|
||
|
||
it('should not return anything if describe RDS instances response not found', function (done) { | ||
const cache = createNullCache(); | ||
rdsDeletionProtectionEnabled.run(cache, {}, (err, results) => { | ||
expect(results.length).to.equal(0); | ||
done(); | ||
}); | ||
}); | ||
}); | ||
}); |