Skip to content
This repository has been archived by the owner on Sep 17, 2021. It is now read-only.

Commit

Permalink
Merge pull request #416 from Netflix/rds_sg_index
Browse files Browse the repository at this point in the history 
Fixes to #411 and preparation for v0.7.0
  • Loading branch information
Patrick Kelley authored Sep 20, 2016
2 parents 55bfeac + 2087fdf commit 48f50ed
Show file tree
Hide file tree
Showing 8 changed files with 286 additions and 72 deletions.
74 changes: 74 additions & 0 deletions docs/changelog.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,80 @@
Changelog
*********

v0.7.0 (2016-09-21)
===================
- PR #410/#405 - @zollman - Custom Watcher/Auditor Support. (Dynamic Loading)
- PR #412 - @llange - Google SSO Fixes
- PR #409 - @kyelberry - Fixed Report URLs in UI.
- PR #413 - @markofu - Better handle IAM SSL certificates that we cannot parse.
- PR #411 - @zollman - Many, many new watchers and auditors.


New Watchers:

* CloudTrail
* AWSConfig
* AWSConfigRecorder
* DirectConnect::Connection
* EC2::EbsSnapshot
* EC2::EbsVolume
* EC2::Image
* EC2::Instance
* ENI
* KMS::Grant
* KMS::Key
* Lambda
* RDS::ClusterSnapshot
* RDS::DBCluster
* RDS::DBInstace
* RDS::Snapshot
* RDS::SubnetGroup
* Route53
* Route53Domains
* TrustedAdvisor
* VPC::DHCP
* VPC::Endpoint
* VPC::FlowLog
* VPC::NatGateway
* VPC::NetworkACL
* VPC::Peering

Important Notes:

- New permissions required:
- cloudtrail:describetrails
- config:describeconfigrules
- config:describeconfigurationrecorders
- directconnect:describeconnections
- ec2:describeflowlogs
- ec2:describeimages
- ec2:describenatgateways
- ec2:describenetworkacls
- ec2:describenetworkinterfaces
- ec2:describesnapshots
- ec2:describevolumes
- ec2:describevpcendpoints
- ec2:describevpcpeeringconnections,
- iam:getaccesskeylastused
- iam:listattachedgrouppolicies
- iam:listattacheduserpolicies
- lambda:listfunctions
- rds:describedbclusters
- rds:describedbclustersnapshots
- rds:describedbinstances
- rds:describedbsnapshots
- rds:describedbsubnetgroups
- redshift:describeclusters
- route53domains:listdomains

Contributors:

- @zollman
- @kyleberry
- @llange
- @markofu
- @monkeysecurity

v0.6.0 (2016-08-29)
===================
- issue #292 - PR #332 - Add ephemeral sections to the redshift watcher
Expand Down
52 changes: 35 additions & 17 deletions docs/configuration.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,23 +71,38 @@ SM-ReadOnly
"Statement": [
{
"Action": [
"acm:ListCertificates",
"acm:DescribeCertificate",
"acm:describecertificate",
"acm:listcertificates",
"cloudtrail:describetrails",
"config:describeconfigrules",
"config:describeconfigurationrecorders",
"directconnect:describeconnections",
"ec2:describeaddresses",
"ec2:describedhcpoptions",
"ec2:describeflowlogs",
"ec2:describeimages",
"ec2:describeinstances",
"ec2:describeinternetgateways",
"ec2:describekeypairs",
"ec2:describenatgateways",
"ec2:describenetworkacls",
"ec2:describenetworkinterfaces",
"ec2:describeregions",
"ec2:describeroutetables",
"ec2:describesecuritygroups",
"ec2:describesnapshots",
"ec2:describesubnets",
"ec2:describetags",
"ec2:describevolumes",
"ec2:describevpcendpoints",
"ec2:describevpcpeeringconnections",
"ec2:describevpcs",
"elasticloadbalancing:describeinstancehealth",
"elasticloadbalancing:describeloadbalancerattributes",
"elasticloadbalancing:describeloadbalancerpolicies",
"elasticloadbalancing:describeloadbalancers",
"es:describeelasticsearchdomainconfig",
"es:listdomainnames",
"iam:getaccesskeylastused",
"iam:getgroup",
"iam:getgrouppolicy",
"iam:getloginprofile",
Expand All @@ -98,7 +113,9 @@ SM-ReadOnly
"iam:getuser",
"iam:getuserpolicy",
"iam:listaccesskeys",
"iam:listattachedgrouppolicies",
"iam:listattachedrolepolicies",
"iam:listattacheduserpolicies",
"iam:listentitiesforpolicy",
"iam:listgrouppolicies",
"iam:listgroups",
Expand All @@ -111,27 +128,31 @@ SM-ReadOnly
"iam:listsigningcertificates",
"iam:listuserpolicies",
"iam:listusers",
"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:ListKeys",
"kms:ListAliases",
"kms:ListGrants",
"kms:ListKeyPolicies",
"redshift:DescribeClusters",
"kms:describekey",
"kms:getkeypolicy",
"kms:listaliases",
"kms:listgrants",
"kms:listkeypolicies",
"kms:listkeys",
"lambda:listfunctions",
"rds:describedbclusters",
"rds:describedbclustersnapshots",
"rds:describedbinstances",
"rds:describedbsecuritygroups",
"rds:describedbsnapshots",
"rds:describedbsubnetgroups",
"redshift:describeclusters",
"route53:listhostedzones",
"route53:listresourcerecordsets",
"route53domains:listdomains",
"s3:getbucketacl",
"s3:getbucketcors",
"s3:getbucketlocation",
"s3:getbucketlogging",
"s3:getbucketpolicy",
"s3:getbuckettagging",
"s3:getbucketversioning",
"s3:getlifecycleconfiguration",
"s3:listallmybuckets",
"ses:getidentitydkimattributes",
"ses:getidentitynotificationattributes",
"ses:getidentityverificationattributes",
"ses:listidentities",
"ses:listverifiedemailaddresses",
Expand All @@ -140,10 +161,7 @@ SM-ReadOnly
"sns:listsubscriptionsbytopic",
"sns:listtopics",
"sqs:getqueueattributes",
"sqs:listqueues",
"sqs:receivemessage",
"es:DescribeElasticSearchDomainConfig",
"es:ListDomainNames"
"sqs:listqueues"
],
"Effect": "Allow",
"Resource": "*"
Expand Down
52 changes: 35 additions & 17 deletions docs/quickstart.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,23 +83,38 @@ Paste in this JSON with the name "SecurityMonkeyReadOnly":
"Statement": [
{
"Action": [
"acm:ListCertificates",
"acm:DescribeCertificate",
"acm:describecertificate",
"acm:listcertificates",
"cloudtrail:describetrails",
"config:describeconfigrules",
"config:describeconfigurationrecorders",
"directconnect:describeconnections",
"ec2:describeaddresses",
"ec2:describedhcpoptions",
"ec2:describeflowlogs",
"ec2:describeimages",
"ec2:describeinstances",
"ec2:describeinternetgateways",
"ec2:describekeypairs",
"ec2:describenatgateways",
"ec2:describenetworkacls",
"ec2:describenetworkinterfaces",
"ec2:describeregions",
"ec2:describeroutetables",
"ec2:describesecuritygroups",
"ec2:describesnapshots",
"ec2:describesubnets",
"ec2:describetags",
"ec2:describevolumes",
"ec2:describevpcendpoints",
"ec2:describevpcpeeringconnections",
"ec2:describevpcs",
"elasticloadbalancing:describeinstancehealth",
"elasticloadbalancing:describeloadbalancerattributes",
"elasticloadbalancing:describeloadbalancerpolicies",
"elasticloadbalancing:describeloadbalancers",
"es:describeelasticsearchdomainconfig",
"es:listdomainnames",
"iam:getaccesskeylastused",
"iam:getgroup",
"iam:getgrouppolicy",
"iam:getloginprofile",
Expand All @@ -110,7 +125,9 @@ Paste in this JSON with the name "SecurityMonkeyReadOnly":
"iam:getuser",
"iam:getuserpolicy",
"iam:listaccesskeys",
"iam:listattachedgrouppolicies",
"iam:listattachedrolepolicies",
"iam:listattacheduserpolicies",
"iam:listentitiesforpolicy",
"iam:listgrouppolicies",
"iam:listgroups",
Expand All @@ -123,27 +140,31 @@ Paste in this JSON with the name "SecurityMonkeyReadOnly":
"iam:listsigningcertificates",
"iam:listuserpolicies",
"iam:listusers",
"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:ListKeys",
"kms:ListAliases",
"kms:ListGrants",
"kms:ListKeyPolicies",
"redshift:DescribeClusters",
"kms:describekey",
"kms:getkeypolicy",
"kms:listaliases",
"kms:listgrants",
"kms:listkeypolicies",
"kms:listkeys",
"lambda:listfunctions",
"rds:describedbclusters",
"rds:describedbclustersnapshots",
"rds:describedbinstances",
"rds:describedbsecuritygroups",
"rds:describedbsnapshots",
"rds:describedbsubnetgroups",
"redshift:describeclusters",
"route53:listhostedzones",
"route53:listresourcerecordsets",
"route53domains:listdomains",
"s3:getbucketacl",
"s3:getbucketcors",
"s3:getbucketlocation",
"s3:getbucketlogging",
"s3:getbucketpolicy",
"s3:getbuckettagging",
"s3:getbucketversioning",
"s3:getlifecycleconfiguration",
"s3:listallmybuckets",
"ses:getidentitydkimattributes",
"ses:getidentitynotificationattributes",
"ses:getidentityverificationattributes",
"ses:listidentities",
"ses:listverifiedemailaddresses",
Expand All @@ -152,10 +173,7 @@ Paste in this JSON with the name "SecurityMonkeyReadOnly":
"sns:listsubscriptionsbytopic",
"sns:listtopics",
"sqs:getqueueattributes",
"sqs:listqueues",
"sqs:receivemessage",
"es:DescribeElasticSearchDomainConfig",
"es:ListDomainNames"
"sqs:listqueues"
],
"Effect": "Allow",
"Resource": "*"
Expand Down
44 changes: 44 additions & 0 deletions migrations/versions/1a863bd1acb1_.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
"""Renaming rds to rdssecuritygroup
Revision ID: 1a863bd1acb1
Revises: 0ae4ef82b244
Create Date: 2016-09-20 20:22:19.687138
"""

# revision identifiers, used by Alembic.
revision = '1a863bd1acb1'
down_revision = '0ae4ef82b244'

from alembic import op
import sqlalchemy as sa
from sqlalchemy.orm import sessionmaker
from sqlalchemy.ext.declarative import declarative_base


Session = sessionmaker()
Base = declarative_base()


class Technology(Base):
__tablename__ = 'technology'
id = sa.Column(sa.Integer, primary_key=True)
name = sa.Column(sa.String(32))


def upgrade():
bind = op.get_bind()
session = Session(bind=bind)
rds_tech = session.query(Technology).filter(Technology.name == 'rds').first()
if rds_tech:
rds_tech.name = 'rdssecuritygroup'
session.commit()


def downgrade():
bind = op.get_bind()
session = Session(bind=bind)
rds_tech = session.query(Technology).filter(Technology.name == 'rdssecuritygroup').first()
if rds_tech:
rds_tech.name = 'rds'
session.commit()
Loading

0 comments on commit 48f50ed

Please sign in to comment.