Skip to content

feat(preflight): build preflight package for AWS #1716

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat(preflight): build preflight package for AWS #1716

wants to merge 3 commits into from

Conversation

PengyuanZhao
Copy link
Contributor

@PengyuanZhao PengyuanZhao commented May 28, 2025
edited
Loading

Summary

This PR creates the package which serves functions to do preflight checks for AWS integrations including Agentless, Config and CloudTrail.

The following tasks will be run sequentially:

  • Fetch caller info
  • Fetch all policies
  • Extract permission from policies
  • Find out the missing required permissions.
  • Fetch other account details including:
    • Enabled regions
    • Existing CloudTrail
    • EKS clusters
    • If the call can access organization
      • Fetch management account ID
      • Fetch all account IDs and org unit IDs

How did you test this change?

Run integration test in preflight_aws_test.go

@PengyuanZhao PengyuanZhao requested a review from a team as a code owner May 28, 2025 15:15
@PengyuanZhao PengyuanZhao requested review from charanbir, jeffreynglw and aneesh-mysore and removed request for a team May 28, 2025 15:15
@github-actions GitHub Actions
Copy link

github-actions bot commented May 28, 2025
edited
Loading

Lacework Code Security found potential new issues in this PR.

sca found potential 5 new issues 
Potential hardcoded credentials. The code snippet will not be displayed for security reasons.

Potential hardcoded credentials. The code snippet will not be displayed for security reasons.

Potential hardcoded credentials. The code snippet will not be displayed for security reasons.

Potential hardcoded credentials. The code snippet will not be displayed for security reasons.

Potential hardcoded credentials. The code snippet will not be displayed for security reasons.

jeffreynglw
jeffreynglw reviewed May 28, 2025
View reviewed changes
lwpreflight/aws/policy.go
Comment on lines +77 to +80
if a == "*" {
p.caller.IsAdmin = true
return nil
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this mean we don't need to populate the permissions map below if any of the statement.Action from any document has statement.Action == "*" ?

Copy link
Contributor Author

@PengyuanZhao PengyuanZhao May 28, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. If any action is "*", that will mean the caller can do anything(like having admin access). No need to populate the map to check permissions.

jeffreynglw
jeffreynglw reviewed May 28, 2025
View reviewed changes
lwpreflight/aws/util.go
Comment on lines +22 to +24
if strings.Contains(lastStr, "assumed-role") {
return paths[len(paths)-2], nil
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be useful to add an example comment on how this assumed-role Arn might look like.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added examples in the comment.

@lacework-code-security Lacework Code Security
Copy link

(Audit Mode) sca found potential 5 new issues 
Potential hardcoded credentials. The code snippet will not be displayed for security reasons.

Potential hardcoded credentials. The code snippet will not be displayed for security reasons.

Potential hardcoded credentials. The code snippet will not be displayed for security reasons.

Potential hardcoded credentials. The code snippet will not be displayed for security reasons.

Potential hardcoded credentials. The code snippet will not be displayed for security reasons.

@PengyuanZhao PengyuanZhao mentioned this pull request Jun 3, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jeffreynglw jeffreynglw jeffreynglw left review comments

@charanbir charanbir Awaiting requested review from charanbir charanbir is a code owner automatically assigned from lacework/eng-product-platform

@aneesh-mysore aneesh-mysore Awaiting requested review from aneesh-mysore aneesh-mysore is a code owner automatically assigned from lacework/eng-product-platform

@lokesh-vadlamudi lokesh-vadlamudi Awaiting requested review from lokesh-vadlamudi

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@PengyuanZhao @jeffreynglw