-
Notifications
You must be signed in to change notification settings - Fork 692
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
backup vault role level access #1593
base: master
Are you sure you want to change the base?
backup vault role level access #1593
Conversation
title: 'Backup Vault Role Access', | ||
category: 'Backup', | ||
domain: 'Storage', | ||
description: 'Ensure that AWS Backup Vault are accessed through roles.', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
description: 'Ensure that AWS Backup Vault are accessed through roles.', | |
description: 'Ensure that AWS Backup vaults are accessed through roles.', |
if (getBackupVaultAccessPolicy && getBackupVaultAccessPolicy.err && getBackupVaultAccessPolicy.err.code && | ||
getBackupVaultAccessPolicy.err.code == 'ResourceNotFoundException') { | ||
helpers.addResult(results, 2, | ||
'No access policy found for Backup vault', region, resource); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
doesn't it mean no access?
helpers.addResult(results, 0, | ||
'The Backup Vault policy does not have trust relationship statements', | ||
region, resource); | ||
return; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return; | |
continue; |
continue; | ||
} | ||
|
||
if (!getBackupVaultAccessPolicy || getBackupVaultAccessPolicy.err || !getBackupVaultAccessPolicy.data) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if (!getBackupVaultAccessPolicy || getBackupVaultAccessPolicy.err || !getBackupVaultAccessPolicy.data) { | |
if (!getBackupVaultAccessPolicy || getBackupVaultAccessPolicy.err || !getBackupVaultAccessPolicy.data || !getBackupVaultAccessPolicy.data.Policy) { |
var actions = []; | ||
let roleAccess = true; | ||
for (var statement of statements) { | ||
var principalEval = helpers.globalPrincipal(statement.Principal); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why does it have to be global principal?
|
||
if (!roleAccess) { | ||
helpers.addResult(results, 2, | ||
'Backup Vault does not have role level access only' + actions, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't actions list empty?
No description provided.