Merge pull request #91 from aws-ia/ephemeral_project-updates

Updates from project type

.copier-answers.yml

@@ -1,6 +1,6 @@
 # This file is auto-generated, changes will be overwritten
-_commit: v0.1.3
-_src_path: /task/db0b1217-7517-11ee-ad22-429c8fcd4fb9/projecttype
+_commit: v0.1.4
+_src_path: /task/59da57c9-afe3-11ee-8091-0668063857e2/projecttype
 starting_version: v0.0.0
 version_file: VERSION
 

.gitignore

@@ -161,15 +161,45 @@ cython_debug/
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
 #.idea/
 
+<<<<<<< before updating
 # taskcat
+=======
+# JetBrains IDE
+.idea/
+
+.DS_Store
+
+.taskcat/
+taskcat_outputs/
+*.zip
+=======
+
+.DS_Store
+
+# Taskcat files
+>>>>>>> after updating
 taskcat_outputs/
 .taskcat/
 
 # since the zips are automatically generated, we don't want to check them in
 lambda_functions/packages/
 
+<<<<<<< before updating
 # General
 .DS_Store
 
 # Ash
 aggregated_results.txt
+=======
+# Package files
+lambda.zip
+
+# Visual Studio Code IDE
+.vscode/
+
+# Scoutsuite files
+/scoutsuite-report/
+scoutsuite-report.zip
+scoutsuite_sysout.txt
+scoutsuite_s3_filename.txt
+>>>>>>> after updating

.project_automation/functional_tests/abi-scoutsuite-custom-ruleset.json → .project_automation/functional_tests/scoutsuite/abi-scoutsuite-custom-ruleset.json

@@ -1,5 +1,5 @@
 {
-    "about": "This is a simplified ruleset intended for use by CDO Securtiy Certifiers and is maintained by Amazon's CloudSecurity team.",
+    "about": "This is a simplified ruleset intended for use with AWS ABI test environments.",
     "rules": {
         "cloudtrail-not-configured.json": [
             {

.project_automation/functional_tests/create-scoutsuite-custom-rule.py → .project_automation/functional_tests/scoutsuite/create-scoutsuite-custom-rule.py

@@ -40,7 +40,7 @@ def create_scoutsuite_custom_rule_file(file_name):
     if not os.path.exists(scoutsuite_cloudtrail_json_file_path):
         # If the file does not exist, create it   
         # Source path
-        src = '.project_automation/functional_tests/'+file_name
+        src = '.project_automation/functional_tests/scoutsuite/'+file_name
         copy_file(src, scoutsuite_cloudtrail_json_file_path)
     else:
         logging.info(f'File {scoutsuite_cloudtrail_json_file_path} already exists')

.project_automation/functional_tests/process-scoutsuite-report.py → .project_automation/functional_tests/scoutsuite/process-scoutsuite-report.py

@@ -81,7 +81,7 @@ def create_lambda_s3_presignedurl():
     '''Function that creates the Lambda function that generates S3 presigned URLs'''
 
     # Create the ZIP deployment package for Lambda
-    lambda_zipped_code = zip_folder_to_bytesio('./.project_automation/functional_tests/lambda_functions/source/lambda_s3_presignedurl')
+    lambda_zipped_code = zip_folder_to_bytesio('./.project_automation/functional_tests/scoutsuite/lambda_functions/source/lambda_s3_presignedurl')
     lambda_zipped_code.seek(0) # Reset the cursor of the BytesIO object to the beginning
 
     s3_client = session.client('s3')
@@ -95,7 +95,7 @@ def create_lambda_s3_presignedurl():
     # Use the session to create a client for CloudFormation
     cf_client = session.client('cloudformation')
 
-    with open('./.project_automation/functional_tests/lambda_s3_presignedurl.yaml', 'r') as file:
+    with open('./.project_automation/functional_tests/scoutsuite/lambda_s3_presignedurl.yaml', 'r') as file:
         template_body = file.read()
     # Check if the stack already exists
     try:
@@ -277,6 +277,8 @@ def upload_scoutsuite_results_zip_to_s3(scoutsuite_zip_file_path, zip_name):
         s3_file_with_key = time_key + '-' + zip_name
         # Upload the Scoutsuite results zip to an S3 bucket
         s3.upload_file(scoutsuite_zip_file_path, bucket_name, s3_file_with_key)
+        with open("scoutsuite_s3_filename.txt", "w") as file:
+            file.write(str(s3_file_with_key))   
 
     except ClientError as error:
         logging.exception (error)

.project_automation/functional_tests/scoutsuite/scoutsuite.sh

@@ -0,0 +1,40 @@
+#!/bin/bash -ex
+
+
+## NOTE: paths may differ when running in a managed task. To ensure behavior is consistent between
+# managed and local tasks always use these variables for the project and project type path
+PROJECT_PATH=${BASE_PATH}/project
+PROJECT_TYPE_PATH=${BASE_PATH}/projecttype
+
+cd ${PROJECT_PATH}
+
+# Retrieve the AWS account ID and store it in a variable
+AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
+
+run_scoutsuite() {
+    #Create Scoutsuite security scan custom rule
+    python3 .project_automation/functional_tests/scoutsuite/create-scoutsuite-custom-rule.py
+    # Execute Scoutsuite security scan
+    scout aws -r us-east-1 --ruleset .project_automation/functional_tests/scoutsuite/abi-scoutsuite-custom-ruleset.json --no-browser --max-rate 5 --max-workers 5 -f
+    # Upload Scoutsuite security scan results to S3 bucket named scoutsuite-results-aws-AWS-ACCOUNT-ID
+    python3 .project_automation/functional_tests/scoutsuite/process-scoutsuite-report.py
+    # Delete taskcat e2e test resources
+    taskcat test clean ALL
+    process_scoutsuite_report
+}
+
+process_scoutsuite_report() {
+    # Check Scoutsuite security scan result for Danger level findings (Non-0 exit code)
+    scoutsuite_sysout_result=$(cat scoutsuite_sysout.txt)
+    scoutsuite_s3_filename=$(cat scoutsuite_s3_filename.txt)
+    rm scoutsuite_sysout.txt
+    rm scoutsuite_s3_filename.txt
+    if [ "$scoutsuite_sysout_result" -ne 0 ]; then       
+        # The value is non-zero, indicating Scoutsuite report needs to be checked for security issues
+        echo "Scoutsuite report contains security issues. For details please check the log messages above or the file $scoutsuite_s3_filename in the S3 bucket named scoutsuite-results-aws-$AWS_ACCOUNT_ID in the AWS test account provided by the ABI team."
+        exit 1 
+    fi
+}
+
+#Run Scoutsuite security test
+run_scoutsuite