fix result_kinds

resotocore/resotocore/report/inspector_service.py

@@ -411,14 +411,27 @@ async def validate_check_collection_config(self, json: Json) -> Optional[Json]:
             for check in ReportCheckCollectionConfig.from_config(ConfigEntity(ResotoReportCheck, json)):
                 try:
                     env = check.default_values or {}
-                    if search := check.detect.get("resoto"):
-                        await self.template_expander.parse_query(search, on_section="reported", env=env)
-                    elif cmd := check.detect.get("resoto_cmd"):
-                        await self.cli.evaluate_cli_command(cmd, CLIContext(env=env))
+                    detect = ""
+                    if detect := check.detect.get("resoto"):
+                        await self.template_expander.parse_query(detect, on_section="reported", env=env)
+                    elif detect := check.detect.get("resoto_cmd"):
+                        await self.cli.evaluate_cli_command(detect, CLIContext(env=env))
                     elif check.detect.get("manual"):
-                        pass
+                        continue
                     else:
                         errors.append(f"Check {check.id} neither has a resoto, resoto_cmd or manual defined")
+                    if not check.result_kinds:
+                        errors.append(f"Check {check.id} does not define any result kind")
+                    for rk in check.result_kinds:
+                        if rk not in detect:
+                            errors.append(f"Check {check.id} does not detect result kind {rk}")
+                    if not check.remediation.text:
+                        errors.append(f"Check {check.id} does not define any remediation text")
+                    if not check.remediation.url:
+                        errors.append(f"Check {check.id} does not define any remediation url")
+                    for prop in ["id", "title", "risk", "severity"]:
+                        if not getattr(check, prop, None):
+                            errors.append(f"Check {check.id} does not define prop {prop}")
                 except Exception as e:
                     errors.append(f"Check {check.id} is invalid: {e}")
             if errors:

resotocore/resotocore/static/report/checks/aws/aws_ec2.json

@@ -666,7 +666,7 @@
         {
             "name": "image_public",
             "title": "Ensure there are no EC2 AMIs set as Public.",
-            "result_kinds": [],
+            "result_kinds": ["aws_ec2_image"],
             "categories": [ "security", "compliance" ],
             "risk": "When your AMIs are publicly accessible, they are available in the Community AMIs where everyone with an AWS account can use them to launch EC2 instances. Your AMIs could contain snapshots of your applications (including their data), therefore exposing your snapshots in this manner is not advised.",
             "severity": "critical",
@@ -696,7 +696,7 @@
         {
             "name": "no_secrets_in_launch_template_user_data",
             "title": "Ensure there are no secrets in EC2 Launch Template User Data.",
-            "result_kinds": ["aws_ec2_instance"],
+            "result_kinds": ["aws_ec2_launch_template"],
             "categories": [ "security", "compliance" ],
             "risk": "Adding secrets in userdata can compromise security as these scripts can be viewed by anyone. Secrets hardcoded into instance user data can be used by malware and bad actors to gain lateral access to other services.",
             "severity": "medium",

resotocore/resotocore/static/report/checks/aws/aws_iam.json

@@ -95,7 +95,7 @@
         {
             "name": "user_hardware_mfa_enabled",
             "title": "Ensure hardware MFA is enabled for all IAM users.",
-            "result_kinds": ["aws_root_user"],
+            "result_kinds": ["aws_iam_user"],
             "categories": ["security", "compliance"],
             "risk": "Hardware MFA is preferred over virtual MFA.",
             "severity": "low",
@@ -239,7 +239,7 @@
         {
             "name": "policy_attached_only_to_group_or_roles",
             "title": "Ensure IAM policies are attached only to groups or roles",
-            "result_kinds": ["aws_iam_access_key"],
+            "result_kinds": ["aws_iam_user"],
             "categories": ["security", "compliance"],
             "risk": "By default IAM users; groups; and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users; groups; or roles. It is recommended that IAM policies be applied directly to groups and roles but not users. Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow. Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.",
             "severity": "low",

resotocore/resotocore/static/report/checks/aws/aws_sagemaker.json

@@ -65,7 +65,7 @@
         {
             "name": "notebook_vpc_settings_enabled",
             "title": "Ensure VPC is configured for SageMaker Notebook",
-            "result_kinds": ["aws_sagemaker_model"],
+            "result_kinds": ["aws_sagemaker_notebook"],
             "categories": ["security", "compliance"],
             "risk": "Notebook without VPC isolation may be vulnerable to unauthorized data access or cyber attacks.",
             "severity": "medium",
@@ -80,7 +80,7 @@
         {
             "name": "training_job_vpc_settings_enabled",
             "title": "Ensure VPC is configured for SageMaker Training Jobs",
-            "result_kinds": ["aws_sagemaker_model"],
+            "result_kinds": ["aws_sagemaker_training_job"],
             "categories": ["security", "compliance"],
             "risk": "Training Jobs without VPC isolation may be vulnerable to unauthorized data access or cyber attacks.",
             "severity": "medium",
@@ -125,7 +125,7 @@
         {
             "name": "training_job_volume_encryption_enabled",
             "title": "Ensure encryption is enabled for SageMaker Training Jobs volumes",
-            "result_kinds": ["aws_sagemaker_model"],
+            "result_kinds": ["aws_sagemaker_training_job"],
             "categories": ["security", "compliance"],
             "risk": "Unencrypted Data pose a risk of unauthorized data access and potential data breaches. Utilizing KMS keys adds a critical layer of security through encryption.",
             "severity": "medium",

resotocore/resotocore/static/report/checks/aws/aws_ssm.json

@@ -56,7 +56,7 @@
             "risk": "Non-compliance of diverse AWS resources (EC2 instances, DynamoDB tables, SSM documents, S3 buckets) with AWS Systems Manager policies poses serious risks. It can lead to security vulnerabilities, operational inconsistencies, and breaches of regulatory compliance, ultimately jeopardizing system integrity, data security, and reliability.",
             "severity": "high",
             "detect": {
-                "resoto": "is(aws_ssm_resource_compliance) -->"
+                "resoto": "is(aws_ssm_resource_compliance) --> is(aws_ec2_instance, aws_dynamodb_table, aws_ssm_document, aws_s3_bucket)"
             },
             "remediation": {
                 "text": "To address non-compliance, identify the compliance standards set by AWS Systems Manager and pinpoint the specific requirements not met by each resource. For EC2 instances, ensure the SSM Agent is correctly configured and the instance is adhering to the desired state configurations. For DynamoDB, verify table settings against best practices. Ensure S3 buckets have proper access controls and encryption settings. Regularly update and enforce compliance policies and perform systematic compliance audits. Utilize AWS Systems Manager automation to streamline the remediation process for non-compliant resources.",