From 518013e10bdda40ead96fcb7819b50a9f9ca680d Mon Sep 17 00:00:00 2001 From: fatima99s Date: Mon, 15 Jul 2024 16:09:25 +0500 Subject: [PATCH 1/4] FS-AWS/ManagedBlockchainCloudwatchLogs --- exports.js | 2 + .../networkMemberCloudwatchLogs.js | 90 ++++++++++ .../networkMemberCloudwatchLogs.spec.js | 165 ++++++++++++++++++ 3 files changed, 257 insertions(+) create mode 100644 plugins/aws/managedblockchain/networkMemberCloudwatchLogs.js create mode 100644 plugins/aws/managedblockchain/networkMemberCloudwatchLogs.spec.js diff --git a/exports.js b/exports.js index dcbf2a3dbb..13046ff016 100644 --- a/exports.js +++ b/exports.js @@ -637,6 +637,8 @@ module.exports = { 'databrewJobOutputEncrypted' : require(__dirname + '/plugins/aws/gluedatabrew/databrewJobOutputEncrypted.js'), 'networkMemberDataEncrypted' : require(__dirname + '/plugins/aws/managedblockchain/networkMemberDataEncrypted.js'), + 'networkMemberCloudwatchLogs' : require(__dirname + '/plugins/aws/managedblockchain/networkMemberCloudwatchLogs.js'), + 'docdbClusterEncrypted' : require(__dirname + '/plugins/aws/documentDB/docdbClusterEncrypted.js'), 'docDbHasTags' : require(__dirname + '/plugins/aws/documentDB/docDbHasTags.js'), diff --git a/plugins/aws/managedblockchain/networkMemberCloudwatchLogs.js b/plugins/aws/managedblockchain/networkMemberCloudwatchLogs.js new file mode 100644 index 0000000000..f27c20ae60 --- /dev/null +++ b/plugins/aws/managedblockchain/networkMemberCloudwatchLogs.js @@ -0,0 +1,90 @@ +var async = require('async'); +var helpers = require('../../../helpers/aws'); + +module.exports = { + title: 'Managed Blockchain Network Member CloudWatch Logs', + category: 'Managed Blockchain', + domain: 'Content Delivery', + severity: 'Medium', + description: 'Ensure that Amazon Managed Blockchain members have CloudWatch logs enabled.', + more_info: 'Enabling CloudWatch Logs for Amazon Managed Blockchain helps troubleshoot chaincode development, monitor network activity, and identify errors by publishing peer node, chaincode, and certificate authority (CA) logs.', + link: 'https://docs.aws.amazon.com/managed-blockchain/latest/hyperledger-fabric-dev/monitoring-cloudwatch-logs.html', + recommended_action: 'Modify Managed Blockchain members to enable CloudWatch Logs', + apis: ['ManagedBlockchain:listMembers', 'ManagedBlockchain:listNetworks', 'ManagedBlockchain:getMember'], + realtime_triggers: ['managedblockchain:CreateNetwork', 'managedblockchain:DeleteMember'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var regions = helpers.regions(settings); + + async.each(regions.managedblockchain, function(region, rcb){ + var listNetworks = helpers.addSource(cache, source, + ['managedblockchain', 'listNetworks', region]); + + if (!listNetworks) return rcb(); + + if (listNetworks.err || !listNetworks.data) { + helpers.addResult(results, 3, + `Unable to query for Managed Blockchain networks: ${helpers.addError(listNetworks)}`, region); + return rcb(); + } + + if (!listNetworks.data.length) { + helpers.addResult(results, 0, 'No Managed Blockchain networks found', region); + return rcb(); + } + + for (let network of listNetworks.data) { + if (!network.Id || !network.Arn) continue; + + let listMembers = helpers.addSource(cache, source, + ['managedblockchain', 'listMembers', region, network.Id]); + + if (!listMembers || listMembers.err || !listMembers.data || !listMembers.data.Members) { + helpers.addResult(results, 3, + `Unable to query network members: ${helpers.addError(listMembers)}`, + region, network.Arn); + continue; + } + + if (!listMembers.data.Members.length) { + helpers.addResult(results, 0, 'No network members found', region, network.Arn); + continue; + } + + for (let member of listMembers.data.Members) { + if (!member.Id || !member.Arn) continue; + + let resource = member.Arn; + let getMember = helpers.addSource(cache, source, + ['managedblockchain', 'getMember', region, member.Id]); + + if (!getMember || getMember.err || !getMember.data || !getMember.data.Member) { + helpers.addResult(results, 3, + `Unable to query network member: ${helpers.addError(getMember)}`, + region, member.Arn); + continue; + } + const getmember = getMember.data.Member + + if (getmember.LogPublishingConfiguration && getmember.LogPublishingConfiguration.Fabric && + getmember.LogPublishingConfiguration.Fabric.CaLogs && getmember.LogPublishingConfiguration.Fabric.CaLogs.Cloudwatch + && getmember.LogPublishingConfiguration.Fabric.CaLogs.Cloudwatch.Enabled) { + helpers.addResult(results, 0, + 'Network member has CloudWatch logs enabled', + region, resource); + } else { + helpers.addResult(results, 2, + 'Network member does not have CloudWatch logs enabled', + region, resource); + } + } + } + + rcb(); + }, function(){ + callback(null, results, source); + }); + } +}; diff --git a/plugins/aws/managedblockchain/networkMemberCloudwatchLogs.spec.js b/plugins/aws/managedblockchain/networkMemberCloudwatchLogs.spec.js new file mode 100644 index 0000000000..0a55f7e219 --- /dev/null +++ b/plugins/aws/managedblockchain/networkMemberCloudwatchLogs.spec.js @@ -0,0 +1,165 @@ +var expect = require('chai').expect; +var networkMemberCloudwatchLogs = require('./networkMemberCloudwatchLogs'); + +const listNetworks = [ + { + "Id": "n-Z7YTJ3EHSBENRKI7UM6XW2XWFQ", + "Name": "akhtar-net", + "Description": null, + "Framework": "HYPERLEDGER_FABRIC", + "FrameworkVersion": "1.4", + "Status": "AVAILABLE", + "CreationDate": "2021-11-16T07:46:51.158Z", + "Arn": "arn:aws:managedblockchain:us-east-1::networks/n-Z7YTJ3EHSBENRKI7UM6XW2XWFQ" + } +]; + +const listMembers = [ + { + "Id": "m-3WDFHOCKPZFPXOXP5SVIYEBTYA", + "Name": "akhtar", + "Description": null, + "Status": "AVAILABLE", + "CreationDate": "2021-11-16T07:46:51.146Z", + "IsOwned": true, + "Arn": "arn:aws:managedblockchain:us-east-1:000011112222:members/m-3WDFHOCKPZFPXOXP5SVIYEBTYA" + } +]; + +const getMember = [ + { + "NetworkId": "n-Z7YTJ3EHSBENRKI7UM6XW2XWFQ", + "Id": "m-3WDFHOCKPZFPXOXP5SVIYEBTYA", + "Name": "akhtar", + "Description": null, + "FrameworkAttributes": { + "Fabric": { + "AdminUsername": "cloudsploit", + "CaEndpoint": "ca.m-3wdfhockpzfpxoxp5sviyebtya.n-z7ytj3ehsbenrki7um6xw2xwfq.managedblockchain.us-east-1.amazonaws.com:30002" + } + }, + "LogPublishingConfiguration": { + "Fabric": { + "CaLogs": { + "Cloudwatch": { + "Enabled": true + } + } + } + }, + "Status": "AVAILABLE", + "CreationDate": "2021-11-16T07:46:51.146Z", + "Tags": {}, + "Arn": "arn:aws:managedblockchain:us-east-1:000011112222:members/m-3WDFHOCKPZFPXOXP5SVIYEBTYA", + "KmsKeyArn": "arn:aws:kms:us-east-1:000011112222:key/ad013a33-b01d-4d88-ac97-127399c18b3e" + }, + { + "NetworkId": "n-Z7YTJ3EHSBENRKI7UM6XW2XWFQ", + "Id": "m-3WDFHOCKPZFPXOXP5SVIYEBTYA", + "Name": "akhtar", + "Description": null, + "FrameworkAttributes": { + "Fabric": { + "AdminUsername": "cloudsploit", + "CaEndpoint": "ca.m-3wdfhockpzfpxoxp5sviyebtya.n-z7ytj3ehsbenrki7um6xw2xwfq.managedblockchain.us-east-1.amazonaws.com:30002" + } + }, + "LogPublishingConfiguration": { + "Fabric": { + "CaLogs": { + "Cloudwatch": { + "Enabled": false + } + } + } + }, + "Status": "AVAILABLE", + "CreationDate": "2021-11-16T07:46:51.146Z", + "Tags": {}, + "Arn": "arn:aws:managedblockchain:us-east-1:000011112222:members/m-3WDFHOCKPZFPXOXP5SVIYEBTYA", + "KmsKeyArn": "AWS_OWNED_KMS_KEY" + } +]; + + +const createCache = (networks, members, getMember, networksErr) => { + var networkId = (networks && networks.length) ? networks[0].Id : null; + var memberId = (members && members.length) ? members[0].Id : null; + return { + managedblockchain: { + listNetworks: { + 'us-east-1': { + err: networksErr, + data: networks + }, + }, + listMembers: { + 'us-east-1': { + [networkId]: { + data: { + "Members": members + } + } + } + }, + getMember: { + 'us-east-1': { + [memberId]: { + data: { + "Member": getMember + } + } + } + } + }, + }; +}; + +describe('networkMemberCloudwatchLogs', function () { + describe('run', function () { + it('should PASS if Network member has cloudwatch logs enabled', function (done) { + const cache = createCache(listNetworks ,listMembers, getMember[0]); + networkMemberCloudwatchLogs.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].region).to.equal('us-east-1'); + expect(results[0].message).to.include('Network member has CloudWatch logs enabled'); + done(); + }); + }); + + it('should FAIL if Network member does not have cloudwatch logs enabled', function (done) { + const cache = createCache(listNetworks ,listMembers, getMember[1]); + networkMemberCloudwatchLogs.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].region).to.equal('us-east-1'); + expect(results[0].message).to.include('Network member does not have CloudWatch logs enabled'); + done(); + }); + }); + + it('should PASS if no Managed Blockchain networks found', function (done) { + const cache = createCache([]); + networkMemberCloudwatchLogs.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].region).to.equal('us-east-1'); + expect(results[0].message).to.include('No Managed Blockchain networks found'); + done(); + }); + }); + + it('should UNKNOWN if unable to query Managed Blockchain networks', function (done) { + const cache = createCache(null, null, null, { message: "unable to obtain data" }); + networkMemberCloudwatchLogs.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].region).to.equal('us-east-1'); + expect(results[0].message).to.include('Unable to query for Managed Blockchain networks:'); + done(); + }); + }); + + }); +}) \ No newline at end of file From aab9888c822a92506206f4f04accdc8adf23e029 Mon Sep 17 00:00:00 2001 From: AkhtarAmir Date: Mon, 15 Jul 2024 16:22:21 +0500 Subject: [PATCH 2/4] FS-AWS/ManagedBlockchainCloudwatchLogs --- .../networkMemberCloudwatchLogs.js | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/plugins/aws/managedblockchain/networkMemberCloudwatchLogs.js b/plugins/aws/managedblockchain/networkMemberCloudwatchLogs.js index f27c20ae60..deae8931e2 100644 --- a/plugins/aws/managedblockchain/networkMemberCloudwatchLogs.js +++ b/plugins/aws/managedblockchain/networkMemberCloudwatchLogs.js @@ -66,19 +66,19 @@ module.exports = { region, member.Arn); continue; } - const getmember = getMember.data.Member + const getmember = getMember.data.Member; if (getmember.LogPublishingConfiguration && getmember.LogPublishingConfiguration.Fabric && getmember.LogPublishingConfiguration.Fabric.CaLogs && getmember.LogPublishingConfiguration.Fabric.CaLogs.Cloudwatch && getmember.LogPublishingConfiguration.Fabric.CaLogs.Cloudwatch.Enabled) { - helpers.addResult(results, 0, - 'Network member has CloudWatch logs enabled', - region, resource); - } else { - helpers.addResult(results, 2, - 'Network member does not have CloudWatch logs enabled', - region, resource); - } + helpers.addResult(results, 0, + 'Network member has CloudWatch logs enabled', + region, resource); + } else { + helpers.addResult(results, 2, + 'Network member does not have CloudWatch logs enabled', + region, resource); + } } } From ccfc3d97b3dca9cea5a12c7d1d2c9b169817c422 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Wed, 18 Sep 2024 13:54:52 +0500 Subject: [PATCH 3/4] Update plugins/aws/managedblockchain/networkMemberCloudwatchLogs.js --- plugins/aws/managedblockchain/networkMemberCloudwatchLogs.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/aws/managedblockchain/networkMemberCloudwatchLogs.js b/plugins/aws/managedblockchain/networkMemberCloudwatchLogs.js index deae8931e2..4790a09e43 100644 --- a/plugins/aws/managedblockchain/networkMemberCloudwatchLogs.js +++ b/plugins/aws/managedblockchain/networkMemberCloudwatchLogs.js @@ -7,7 +7,7 @@ module.exports = { domain: 'Content Delivery', severity: 'Medium', description: 'Ensure that Amazon Managed Blockchain members have CloudWatch logs enabled.', - more_info: 'Enabling CloudWatch Logs for Amazon Managed Blockchain helps troubleshoot chaincode development, monitor network activity, and identify errors by publishing peer node, chaincode, and certificate authority (CA) logs.', + more_info: 'Enabling CloudWatch Logs for Amazon Managed Blockchain members is essential for monitoring certificate authority (CA) activity, ensuring proper identity management, and troubleshooting any access-related issues by publishing CA logs.', link: 'https://docs.aws.amazon.com/managed-blockchain/latest/hyperledger-fabric-dev/monitoring-cloudwatch-logs.html', recommended_action: 'Modify Managed Blockchain members to enable CloudWatch Logs', apis: ['ManagedBlockchain:listMembers', 'ManagedBlockchain:listNetworks', 'ManagedBlockchain:getMember'], From dde1e8860d75702332ae1e4999545bd7c2337569 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Wed, 18 Sep 2024 16:36:16 +0500 Subject: [PATCH 4/4] Update exports.js --- exports.js | 1 - 1 file changed, 1 deletion(-) diff --git a/exports.js b/exports.js index 13046ff016..e557fbe6a7 100644 --- a/exports.js +++ b/exports.js @@ -639,7 +639,6 @@ module.exports = { 'networkMemberDataEncrypted' : require(__dirname + '/plugins/aws/managedblockchain/networkMemberDataEncrypted.js'), 'networkMemberCloudwatchLogs' : require(__dirname + '/plugins/aws/managedblockchain/networkMemberCloudwatchLogs.js'), - 'docdbClusterEncrypted' : require(__dirname + '/plugins/aws/documentDB/docdbClusterEncrypted.js'), 'docDbHasTags' : require(__dirname + '/plugins/aws/documentDB/docDbHasTags.js'), 'docdbDeletionProtectionEnabled': require(__dirname + '/plugins/aws/documentDB/docdbDeletionProtectionEnabled.js'),