From 76345349988a87a0213cfe27367b548b97685db6 Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Mon, 30 Oct 2023 20:13:43 -0500 Subject: [PATCH 1/3] multiregion messages --- strikes/MultiRegion.go | 10 +++++----- strikes/common.go | 3 ++- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/strikes/MultiRegion.go b/strikes/MultiRegion.go index ac2adba..294c760 100644 --- a/strikes/MultiRegion.go +++ b/strikes/MultiRegion.go @@ -10,7 +10,7 @@ func (a *Strikes) MultiRegion() (strikeName string, result raidengine.StrikeResu strikeName = "MultiRegion" result = raidengine.StrikeResult{ Passed: false, - Description: "Check if AWS RDS instance has multi region. This strike only checks for a read replica in a seperate region", + Description: "Check whether AWS RDS instance has multi-region read replicas", DocsURL: "https://www.github.com/krumIO/raid-rds", ControlID: "CCC-Taxonomy-1", Movements: make(map[string]raidengine.MovementResult), @@ -46,7 +46,7 @@ func (a *Strikes) MultiRegion() (strikeName string, result raidengine.StrikeResu func checkRDSMultiRegionMovement(cfg aws.Config) (result raidengine.MovementResult) { result = raidengine.MovementResult{ - Description: "Check if the instance has multi region enabled", + Description: "Look for read replicas in a different region than the host instance", Function: utils.CallerPath(0), } instanceIdentifier, _ := getHostDBInstanceIdentifier() @@ -58,7 +58,7 @@ func checkRDSMultiRegionMovement(cfg aws.Config) (result raidengine.MovementResu if len(readReplicas) == 0 { result.Passed = false - result.Message = "Multi Region instances not found" + result.Message = "Read replicas not found for this instance" return } @@ -78,7 +78,7 @@ func checkRDSMultiRegionMovement(cfg aws.Config) (result raidengine.MovementResu if len(replicaInstance.DBInstances) == 0 { result.Passed = false - result.Message = "Cannot access the replica instance " + replica + result.Message = "Read replica exists, but cannot access: " + replica return } @@ -87,7 +87,7 @@ func checkRDSMultiRegionMovement(cfg aws.Config) (result raidengine.MovementResu // db instance doesnt contain the region so we need to remove the last character from the az if az[:len(az)-1] == hostRDSRegion { result.Passed = false - result.Message = "Multi Region instances not found" + result.Message = "Read replica exists, but not in a different region" return } } diff --git a/strikes/common.go b/strikes/common.go index bbcb196..6f67dd1 100644 --- a/strikes/common.go +++ b/strikes/common.go @@ -92,7 +92,7 @@ func connectToDb() (result raidengine.MovementResult) { func checkRDSInstanceMovement(cfg aws.Config) (result raidengine.MovementResult) { // check if the instance is available result = raidengine.MovementResult{ - Description: "Check if the instance is available/exists", + Description: "Check whether the instance can be reached", Function: utils.CallerPath(0), } @@ -105,6 +105,7 @@ func checkRDSInstanceMovement(cfg aws.Config) (result raidengine.MovementResult) result.Passed = false return } + result.Message = "Instance found" result.Passed = len(instance.DBInstances) > 0 return } From ea9dce3c317227fb888714168d4b15961b8844a7 Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Tue, 31 Oct 2023 07:10:52 -0500 Subject: [PATCH 2/3] autoback messages --- strikes/AutomatedBackups.go | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/strikes/AutomatedBackups.go b/strikes/AutomatedBackups.go index a4ae071..949d867 100644 --- a/strikes/AutomatedBackups.go +++ b/strikes/AutomatedBackups.go @@ -2,6 +2,7 @@ package strikes import ( "context" + "fmt" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/rds" @@ -45,14 +46,14 @@ func (a *Strikes) AutomatedBackups() (strikeName string, result raidengine.Strik } result.Passed = true - result.Message = "Completed Successfully" + result.Message = "Automated Backups are enabled" return } func checkRDSAutomatedBackupMovement(cfg aws.Config) (result raidengine.MovementResult) { result = raidengine.MovementResult{ - Description: "Check if the instance has automated backups enabled", + Description: "Check whether the instance has automated backups enabled", Function: utils.CallerPath(0), } @@ -71,6 +72,8 @@ func checkRDSAutomatedBackupMovement(cfg aws.Config) (result raidengine.Movement } // Loop through the instances and print information - result.Passed = len(backups.DBInstanceAutomatedBackups) > 0 + backupCount := len(backups.DBInstanceAutomatedBackups) + result.Message = fmt.Sprintf("%d Automated backups found", backupCount) + result.Passed = backupCount > 0 return } From d2e150157977781ec52924d28a5e0c708ea9ae54 Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Tue, 31 Oct 2023 07:19:58 -0500 Subject: [PATCH 3/3] Polished some messages Signed-off-by: Eddie Knight --- strikes/Encryption.go | 4 ++-- strikes/RBAC.go | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/strikes/Encryption.go b/strikes/Encryption.go index e548b14..19737aa 100644 --- a/strikes/Encryption.go +++ b/strikes/Encryption.go @@ -42,14 +42,14 @@ func (a *Strikes) Encryption() (strikeName string, result raidengine.StrikeResul } result.Passed = true - result.Message = "Completed Successfully" + result.Message = "Storage encryption is enabled" return } func checkIfStorageIsEncryptedMovement(cfg aws.Config) (result raidengine.MovementResult) { result = raidengine.MovementResult{ - Description: "Check if the instance has storage encryption enabled", + Description: "Check whether the instance has storage encryption enabled", Function: utils.CallerPath(0), } diff --git a/strikes/RBAC.go b/strikes/RBAC.go index 1efa632..96cee07 100644 --- a/strikes/RBAC.go +++ b/strikes/RBAC.go @@ -14,7 +14,7 @@ func (a *Strikes) RBAC() (strikeName string, result raidengine.StrikeResult) { strikeName = "RBAC" result = raidengine.StrikeResult{ Passed: false, - Description: "Check if database IAM authentication is enabled on the specified RDS instance", + Description: "Check whether primary RDS instance supports RBAC authentication", DocsURL: "https://www.github.com/krumIO/raid-rds", ControlID: "CCC-Taxonomy-1", Movements: make(map[string]raidengine.MovementResult), @@ -36,20 +36,19 @@ func (a *Strikes) RBAC() (strikeName string, result raidengine.StrikeResult) { iamDatabaseAuthMovement := checkForIAMDatabaseAuthMovement(cfg) result.Movements["CheckForIAMDatabaseAuth"] = iamDatabaseAuthMovement + result.Message = iamDatabaseAuthMovement.Message if !iamDatabaseAuthMovement.Passed { - result.Message = iamDatabaseAuthMovement.Message return } result.Passed = true - result.Message = "Completed Successfully" return } func checkForIAMDatabaseAuthMovement(cfg aws.Config) (result raidengine.MovementResult) { result = raidengine.MovementResult{ - Description: "Check if the instance has IAM Database Authentication enabled", + Description: "Check whether the instance has IAM Database Authentication enabled", Function: utils.CallerPath(0), } @@ -71,5 +70,6 @@ func checkForIAMDatabaseAuthMovement(cfg aws.Config) (result raidengine.Movement // Loop through the instances and print information result.Passed = true + result.Message = "IAM Database Authentication is enabled" return }