You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
packs:
- uid: mondoo-incident-response-aws
name: AWS Incident Response Pack (Test)
queries:
- uid: mondoo-incident-response-aws-iam-administrator-access
title: IAM users, groups, and roles to which the AdministratorAccess policy is attached
variants:
- uid: mondoo-incident-response-aws-iam-administrator-access-all
- uid: mondoo-incident-response-aws-iam-administrator-access-user
- uid: mondoo-incident-response-aws-iam-administrator-access-all
filters: |
asset.platform == "aws"
mql: |
aws.iam.attachedPolicies.
where( arn == "arn:aws:iam::aws:policy/AdministratorAccess" ) {
attachedUsers
attachedGroups
attachedRoles
}
- uid: mondoo-incident-response-aws-iam-administrator-access-user
filters: |
asset.platform == "aws-iam-user"
aws.iam.attachedPolicies
.where(arn == "arn:aws:iam::aws:policy/AdministratorAccess")
.any(attachedUsers
.contains(
arn.in(asset.ids)
)
)
mql: |
aws.iam.user {
arn
name
policies
id
tags
attachedPolicies
createDate
accessKeys
loginProfile
groups
}
Structurally it looks fine and is compliant with the struct that we expose for query packs. However, we want to enforce that no variants are defined inline and those are only defined top-level (bundle level). We should adjust the bundle code to ensure that this pack above spits out a better error when being compiled. We should also adjust the linting/fmting to show this as an error when formatting policies/packs.
The text was updated successfully, but these errors were encountered:
Take the following sample pack:
Structurally it looks fine and is compliant with the struct that we expose for query packs. However, we want to enforce that no variants are defined inline and those are only defined top-level (bundle level). We should adjust the bundle code to ensure that this pack above spits out a better error when being compiled. We should also adjust the linting/fmting to show this as an error when formatting policies/packs.
The text was updated successfully, but these errors were encountered: