Expand 6 AWS services with security-focused resources#7160
Merged
Conversation
…erences Adds sub-resources, typed references, and security-relevant fields across GuardDuty, CloudTrail, Identity Center, EKS, Secrets Manager, and Security Hub for deeper security posture visibility. EKS: typed encryptionKmsKey/encryptionResources (deprecates encryptionConfig), upgradePolicy, zonalShiftConfig, computeConfig, storageConfig, remoteNetworkConfig on cluster; nodeRepairEnabled, nodegroupSubnets on nodegroup. Secrets Manager: type, versions, deletedAt on secret; new secret.version resource. GuardDuty: new detector.filter (finding filters with criteria/action/rank) and detector.member (member accounts with relationship status) resources. CloudTrail: new eventDataStore (Lake stores with retention, encryption, billing, advanced event selectors) and channel (external event ingestion) resources. Security Hub: new member and enabledProduct resources; finding history; removes enabledStandards (breaking, v13.6.3 — replaced by standardSubscriptions). Identity Center: new group and user resources from identity store; adds customerManagedPolicies, permissionsBoundary to permissionSet; replaces permissionSetArn with typed permissionSet() on accountAssignment (breaking, v13.6.3); adds identitystore SDK dependency. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Member
Author
|
Both breaking changes are currently unused and not announced yet so this is an acceptable breaking change |
This comment has been minimized.
This comment has been minimized.
![mondoo-code-review[bot]](https://avatars.githubusercontent.com/in/2834902?s=60&v=4){kind=small}
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
Contributor
…resources Backwards-compatible upgrade: existing string fields are deprecated (not removed) and new typed reference methods are added alongside them. - ec2.instanceConnectEndpoint: subnet(), vpc(), securityGroups() - fsx.filesystem: subnets() - fsx.cache: cacheSubnets() - secretsmanager.secret.replicaRegion: kmsKey() - securitylake.dataLake: s3Bucket() - securitylake.subscriber: iamRole(), s3Bucket() - cloudwatch.logDestination: iamRole() - redshift.eventSubscription: snsTopic() - rds.eventSubscription: snsTopic() - directoryservice.vpcSettings: vpc(), securityGroup(), subnets() - directoryservice.connectSettings: vpc(), securityGroup(), subnets() - iam.role: permissionsBoundary() Also updates expect.txt: adds AWSCURRENT/AWSPENDING/AWSPREVIOUS, removes OTX/STIX. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This comment has been minimized.
This comment has been minimized.
Adds back aws.securityhub.hub.enabledStandards and aws.identitycenter.accountAssignment.permissionSetArn with deprecation comments pointing to their typed replacements (standardSubscriptions and permissionSet respectively). This preserves backwards compatibility for existing consumers. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
tas50
force-pushed
the
expand-aws-security-resources
branch
from
4ca0573 to
d8764de
Compare
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
… SM versions error handling - CloudTrail channel sourceType() and source() both returned detail.Source; sourceType() now derives AWS_SERVICE vs CUSTOM from the channel name prefix - GuardDuty filters() used a single ListFilters call missing pagination; switched to NewListFiltersPaginator to fetch all pages - Secretsmanager versions() lacked access-denied handling; added Is400AccessDeniedError guard consistent with other list methods Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…field ListRoles API never returns PermissionsBoundary (only GetRole does), so the eagerly-set permissionsBoundaryArn was always empty. The new permissionsBoundary() typed reference now calls GetRole on demand to fetch the real value, and backfills permissionsBoundaryArn for consistency. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ey ID - Rename aws.fsx.cache.cacheSubnets() → subnets() for consistency with the sibling aws.fsx.filesystem resource - Guard secretsmanager replicaRegion kmsKey() against non-ARN values (the API can return a key ID or alias, not just an ARN) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
encryptionKmsKey()/encryptionResources()(deprecatesencryptionConfig),upgradePolicy,zonalShiftConfig,computeConfig,storageConfig,remoteNetworkConfigon cluster;nodeRepairEnabled,nodegroupSubnetson nodegrouptype(),versions(),deletedAt()on secret; newsecret.versionresourcedetector.filter(finding filters) anddetector.member(member accounts) resourceseventDataStore(CloudTrail Lake) andchannel(external event ingestion) resourcesmemberandenabledProductresources;history()on finding; removesenabledStandards(breaking, v13.6.3 — replaced bystandardSubscriptions)groupanduserresources from identity store;customerManagedPolicies(),permissionsBoundary()on permissionSet; replacespermissionSetArnwith typedpermissionSet()on accountAssignment (breaking, v13.6.3); addsidentitystoreSDK dependencyDeprecation
aws.eks.cluster.encryptionConfig(introduced v11.15.2, Sep 2023) deprecated in favor ofencryptionKmsKey()+encryptionResources()Test plan
make providers/build/aws && make providers/install/awsmql run aws -c "aws.eks.clusters { encryptionKmsKey upgradePolicy }"mql run aws -c "aws.secretsmanager.secrets { type versions }"mql run aws -c "aws.guardduty.detectors { filters members }"mql run aws -c "aws.cloudtrail.eventDataStores { name status }"mql run aws -c "aws.cloudtrail.channels { name sourceType }"mql run aws -c "aws.securityhub.hubs { members enabledProducts }"mql run aws -c "aws.securityhub.hubs { findings { history } }"mql run aws -c "aws.identitycenter.instances { groups users }"mql run aws -c "aws.identitycenter.instances { permissionSets { customerManagedPolicies permissionsBoundary } }"mql run aws -c "aws.identitycenter.instances { accountAssignments { permissionSet } }"🤖 Generated with Claude Code