Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS-AWS/ManagedBlockchainCloudwatchLogs #2067

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions exports.js
Original file line number Diff line number Diff line change
Expand Up @@ -637,6 +637,7 @@ module.exports = {
'databrewJobOutputEncrypted' : require(__dirname + '/plugins/aws/gluedatabrew/databrewJobOutputEncrypted.js'),

'networkMemberDataEncrypted' : require(__dirname + '/plugins/aws/managedblockchain/networkMemberDataEncrypted.js'),
'networkMemberCloudwatchLogs' : require(__dirname + '/plugins/aws/managedblockchain/networkMemberCloudwatchLogs.js'),

alphadev4 marked this conversation as resolved.
Show resolved Hide resolved
'docdbClusterEncrypted' : require(__dirname + '/plugins/aws/documentDB/docdbClusterEncrypted.js'),
'docDbHasTags' : require(__dirname + '/plugins/aws/documentDB/docDbHasTags.js'),
Expand Down
90 changes: 90 additions & 0 deletions plugins/aws/managedblockchain/networkMemberCloudwatchLogs.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
var async = require('async');
var helpers = require('../../../helpers/aws');

module.exports = {
title: 'Managed Blockchain Network Member CloudWatch Logs',
category: 'Managed Blockchain',
domain: 'Content Delivery',
severity: 'Medium',
description: 'Ensure that Amazon Managed Blockchain members have CloudWatch logs enabled.',
more_info: 'Enabling CloudWatch Logs for Amazon Managed Blockchain members is essential for monitoring certificate authority (CA) activity, ensuring proper identity management, and troubleshooting any access-related issues by publishing CA logs.',
link: 'https://docs.aws.amazon.com/managed-blockchain/latest/hyperledger-fabric-dev/monitoring-cloudwatch-logs.html',
alphadev4 marked this conversation as resolved.
Show resolved Hide resolved
recommended_action: 'Modify Managed Blockchain members to enable CloudWatch Logs',
apis: ['ManagedBlockchain:listMembers', 'ManagedBlockchain:listNetworks', 'ManagedBlockchain:getMember'],
realtime_triggers: ['managedblockchain:CreateNetwork', 'managedblockchain:DeleteMember'],

run: function(cache, settings, callback) {
var results = [];
var source = {};
var regions = helpers.regions(settings);

async.each(regions.managedblockchain, function(region, rcb){
var listNetworks = helpers.addSource(cache, source,
['managedblockchain', 'listNetworks', region]);

if (!listNetworks) return rcb();

if (listNetworks.err || !listNetworks.data) {
helpers.addResult(results, 3,
`Unable to query for Managed Blockchain networks: ${helpers.addError(listNetworks)}`, region);
return rcb();
}

if (!listNetworks.data.length) {
helpers.addResult(results, 0, 'No Managed Blockchain networks found', region);
return rcb();
}

for (let network of listNetworks.data) {
if (!network.Id || !network.Arn) continue;

let listMembers = helpers.addSource(cache, source,
['managedblockchain', 'listMembers', region, network.Id]);

if (!listMembers || listMembers.err || !listMembers.data || !listMembers.data.Members) {
helpers.addResult(results, 3,
`Unable to query network members: ${helpers.addError(listMembers)}`,
region, network.Arn);
continue;
}

if (!listMembers.data.Members.length) {
helpers.addResult(results, 0, 'No network members found', region, network.Arn);
continue;
}

for (let member of listMembers.data.Members) {
if (!member.Id || !member.Arn) continue;

let resource = member.Arn;
let getMember = helpers.addSource(cache, source,
['managedblockchain', 'getMember', region, member.Id]);

if (!getMember || getMember.err || !getMember.data || !getMember.data.Member) {
helpers.addResult(results, 3,
`Unable to query network member: ${helpers.addError(getMember)}`,
region, member.Arn);
continue;
}
const getmember = getMember.data.Member;

if (getmember.LogPublishingConfiguration && getmember.LogPublishingConfiguration.Fabric &&
getmember.LogPublishingConfiguration.Fabric.CaLogs && getmember.LogPublishingConfiguration.Fabric.CaLogs.Cloudwatch
&& getmember.LogPublishingConfiguration.Fabric.CaLogs.Cloudwatch.Enabled) {
alphadev4 marked this conversation as resolved.
Show resolved Hide resolved
helpers.addResult(results, 0,
'Network member has CloudWatch logs enabled',
region, resource);
} else {
helpers.addResult(results, 2,
'Network member does not have CloudWatch logs enabled',
region, resource);
}
}
}

rcb();
}, function(){
callback(null, results, source);
});
}
};
165 changes: 165 additions & 0 deletions plugins/aws/managedblockchain/networkMemberCloudwatchLogs.spec.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,165 @@
var expect = require('chai').expect;
var networkMemberCloudwatchLogs = require('./networkMemberCloudwatchLogs');

const listNetworks = [
{
"Id": "n-Z7YTJ3EHSBENRKI7UM6XW2XWFQ",
"Name": "akhtar-net",
"Description": null,
"Framework": "HYPERLEDGER_FABRIC",
"FrameworkVersion": "1.4",
"Status": "AVAILABLE",
"CreationDate": "2021-11-16T07:46:51.158Z",
"Arn": "arn:aws:managedblockchain:us-east-1::networks/n-Z7YTJ3EHSBENRKI7UM6XW2XWFQ"
}
];

const listMembers = [
{
"Id": "m-3WDFHOCKPZFPXOXP5SVIYEBTYA",
"Name": "akhtar",
"Description": null,
"Status": "AVAILABLE",
"CreationDate": "2021-11-16T07:46:51.146Z",
"IsOwned": true,
"Arn": "arn:aws:managedblockchain:us-east-1:000011112222:members/m-3WDFHOCKPZFPXOXP5SVIYEBTYA"
}
];

const getMember = [
{
"NetworkId": "n-Z7YTJ3EHSBENRKI7UM6XW2XWFQ",
"Id": "m-3WDFHOCKPZFPXOXP5SVIYEBTYA",
"Name": "akhtar",
"Description": null,
"FrameworkAttributes": {
"Fabric": {
"AdminUsername": "cloudsploit",
"CaEndpoint": "ca.m-3wdfhockpzfpxoxp5sviyebtya.n-z7ytj3ehsbenrki7um6xw2xwfq.managedblockchain.us-east-1.amazonaws.com:30002"
}
},
"LogPublishingConfiguration": {
"Fabric": {
"CaLogs": {
"Cloudwatch": {
"Enabled": true
}
}
}
},
"Status": "AVAILABLE",
"CreationDate": "2021-11-16T07:46:51.146Z",
"Tags": {},
"Arn": "arn:aws:managedblockchain:us-east-1:000011112222:members/m-3WDFHOCKPZFPXOXP5SVIYEBTYA",
"KmsKeyArn": "arn:aws:kms:us-east-1:000011112222:key/ad013a33-b01d-4d88-ac97-127399c18b3e"
},
{
"NetworkId": "n-Z7YTJ3EHSBENRKI7UM6XW2XWFQ",
"Id": "m-3WDFHOCKPZFPXOXP5SVIYEBTYA",
"Name": "akhtar",
"Description": null,
"FrameworkAttributes": {
"Fabric": {
"AdminUsername": "cloudsploit",
"CaEndpoint": "ca.m-3wdfhockpzfpxoxp5sviyebtya.n-z7ytj3ehsbenrki7um6xw2xwfq.managedblockchain.us-east-1.amazonaws.com:30002"
}
},
"LogPublishingConfiguration": {
"Fabric": {
"CaLogs": {
"Cloudwatch": {
"Enabled": false
}
}
}
},
"Status": "AVAILABLE",
"CreationDate": "2021-11-16T07:46:51.146Z",
"Tags": {},
"Arn": "arn:aws:managedblockchain:us-east-1:000011112222:members/m-3WDFHOCKPZFPXOXP5SVIYEBTYA",
"KmsKeyArn": "AWS_OWNED_KMS_KEY"
}
];


const createCache = (networks, members, getMember, networksErr) => {
var networkId = (networks && networks.length) ? networks[0].Id : null;
var memberId = (members && members.length) ? members[0].Id : null;
return {
managedblockchain: {
listNetworks: {
'us-east-1': {
err: networksErr,
data: networks
},
},
listMembers: {
'us-east-1': {
[networkId]: {
data: {
"Members": members
}
}
}
},
getMember: {
'us-east-1': {
[memberId]: {
data: {
"Member": getMember
}
}
}
}
},
};
};

describe('networkMemberCloudwatchLogs', function () {
describe('run', function () {
it('should PASS if Network member has cloudwatch logs enabled', function (done) {
const cache = createCache(listNetworks ,listMembers, getMember[0]);
networkMemberCloudwatchLogs.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(0);
expect(results[0].region).to.equal('us-east-1');
expect(results[0].message).to.include('Network member has CloudWatch logs enabled');
done();
});
});

it('should FAIL if Network member does not have cloudwatch logs enabled', function (done) {
const cache = createCache(listNetworks ,listMembers, getMember[1]);
networkMemberCloudwatchLogs.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(2);
expect(results[0].region).to.equal('us-east-1');
expect(results[0].message).to.include('Network member does not have CloudWatch logs enabled');
done();
});
});

it('should PASS if no Managed Blockchain networks found', function (done) {
const cache = createCache([]);
networkMemberCloudwatchLogs.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(0);
expect(results[0].region).to.equal('us-east-1');
expect(results[0].message).to.include('No Managed Blockchain networks found');
done();
});
});

it('should UNKNOWN if unable to query Managed Blockchain networks', function (done) {
const cache = createCache(null, null, null, { message: "unable to obtain data" });
networkMemberCloudwatchLogs.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(3);
expect(results[0].region).to.equal('us-east-1');
expect(results[0].message).to.include('Unable to query for Managed Blockchain networks:');
done();
});
});

});
})
Loading