redshift
Sample rules
A few rules that use objects from this package:
public_access_db_redshift_rule
from typing import List, Dict
from cloudrail.knowledge.rules.aws.aws_base_rule import AwsBaseRule
from cloudrail.knowledge.context.aws.aws_environment_context import AwsEnvironmentContext
from cloudrail.knowledge.rules.base_rule import Issue
from cloudrail.knowledge.rules.rule_parameters.base_paramerter import ParameterType
class PublicAccessDbRedshiftRule(AwsBaseRule):
def get_id(self) -> str:
return 'public_access_db_redshift_rule'
def execute(self, env_context: AwsEnvironmentContext, parameters: Dict[ParameterType, any]) -> List[Issue]:
issues: List[Issue] = []
for redshift in env_context.redshift_clusters:
violating_security_group = redshift.security_group_allowing_public_access
if violating_security_group:
issues.append(Issue(
f'~Internet~. '
f"{redshift.get_type()}: `{redshift.get_friendly_name()}` "
f"is on {redshift.network_resource.vpc.get_type()}"
f" `{redshift.network_resource.vpc.get_friendly_name()}`. "
f"{redshift.get_type()} uses security groups "
f"`{', '.join([x.get_friendly_name() for x in redshift.network_resource.security_groups])}`. "
f"Security group(s) allow Redshift associated port. "
f"{redshift.get_type()} is on subnets:"
f" `{', '.join([x.get_friendly_name() for x in redshift.network_resource.subnets])}`. "
f"Subnets rely on Network ACL's "
f"`{', '.join([x.network_acl.get_friendly_name() for x in redshift.network_resource.subnets])}`. "
f"{redshift.get_type()} is capable of traversing to the internet via Redshift associated port. "
f"~{redshift.get_type()} `{redshift.get_friendly_name()}`~",
redshift,
violating_security_group))
return issues
def should_run_rule(self, environment_context: AwsEnvironmentContext) -> bool:
return bool(environment_context.redshift_clusters)
indirect_public_access_db_redshift
from typing import List, Dict, Optional
from cloudrail.knowledge.context.aws.resources.indirect_public_connection_data import IndirectPublicConnectionData
from cloudrail.knowledge.rules.aws.aws_base_rule import AwsBaseRule
from cloudrail.knowledge.context.aws.aws_environment_context import AwsEnvironmentContext
from cloudrail.knowledge.rules.base_rule import Issue
from cloudrail.knowledge.rules.rule_parameters.base_paramerter import ParameterType
class IndirectPublicAccessDbRedshift(AwsBaseRule):
def get_id(self) -> str:
return 'indirect_public_access_db_redshift'
def execute(self, env_context: AwsEnvironmentContext, parameters: Dict[ParameterType, any]) -> List[Issue]:
issues: List[Issue] = []
for redshift in env_context.redshift_clusters:
violation_data: Optional[IndirectPublicConnectionData] = redshift.indirect_public_connection_data
if violation_data:
issues.append(
Issue(
f'~Internet~. '
f"Instance `{violation_data.target_eni.owner.get_friendly_name()}"
f"` resides in subnet(s) that are routable to internet gateway. "
f'Instance has public IP address. '
f'Instance accepts incoming traffic on port 443. '
f"~Instance `{violation_data.target_eni.owner.get_friendly_name()}`~. "
f"Redshift Database: `{redshift.get_friendly_name()}` does not have a public IP address. "
f"{redshift.get_type()} is on subnets:"
f" `{', '.join([x.get_friendly_name() for x in redshift.network_resource.subnets])}`. "
f"Redshift resides in same subnet as Instance `{violation_data.target_eni.owner.get_friendly_name()}`. "
f"Redshift Database uses Network ACL's "
f"`{', '.join([x.network_acl.get_friendly_name() for x in redshift.network_resource.subnets])}`. "
f'{redshift.get_type()} is accessible from instance within public subnet. '
f"~{redshift.get_type()} `{redshift.get_friendly_name()}`~",
redshift,
violation_data.security_group))
return issues
def should_run_rule(self, environment_context: AwsEnvironmentContext) -> bool:
return bool(environment_context.redshift_clusters)
disallow_ec2_classic_mode_rule
from typing import List, Dict
from cloudrail.knowledge.context.aws.aws_environment_context import AwsEnvironmentContext
from cloudrail.knowledge.rules.aws.aws_base_rule import AwsBaseRule
from cloudrail.knowledge.rules.base_rule import Issue
from cloudrail.knowledge.rules.rule_parameters.base_paramerter import ParameterType
class DisallowEc2ClassicModeRule(AwsBaseRule):
def get_id(self) -> str:
return 'disallow_ec2_classic_mode_rule'
def execute(self, env_context: AwsEnvironmentContext, parameters: Dict[ParameterType, any]) -> List[Issue]:
issues: List[Issue] = []
for redshift in env_context.redshift_clusters:
if not redshift.is_ec2_vpc_platform:
issues.append(
Issue(
f'~{redshift.get_type()}~. '
f'{redshift.get_type()} with database name `{redshift.get_friendly_name()}` is using EC2-Classic mode.'
f' It should use EC2-VPC mode instead',
redshift,
redshift))
return issues
def should_run_rule(self, environment_context: AwsEnvironmentContext) -> bool:
return bool(environment_context.redshift_clusters)
RedshiftCluster (NetworkEntity, INetworkConfiguration)
Attributes:
| Name | Type | Description |
|---|---|---|
db_name |
str |
The name of the database. |
cluster_identifier |
The ID for the cluster. |
|
port |
int |
The port used by the cluster. |
subnet_group_name |
str |
The name of the subnet group used by the cluster. |
security_groups |
List of IDs of security groups used by the cluster. |
|
assign_public_ip |
True if to assign a public IP to the cluster. |
|
encrypted |
bool |
True if the cluster is set to be encrypted at rest. |
security_group_allowing_public_access |
Optional[SecurityGroup] |
A security group that allows access from the internet. This value will be None when this resource is not accessible from the internet. |
indirect_public_connection_data |
Optional[IndirectPublicConnectionData] |
The data that describes that a publicly-accessible resource can access this resource by a security group of this resource. |
logs_config |
Optional[RedshiftLogging] |
The logs settings for this cluster, if configured. |
custom_invalidation(self)
inherited
A list of manual reasons why this resource should be invalidated
exclude_from_invalidation(self)
inherited
A list of attributes that should be excluded from the invalidation process
RedshiftSubnetGroup (AwsResource)
Attributes:
| Name | Type | Description |
|---|---|---|
name |
str |
The name of the subnet group. |
subnet_ids |
List[str] |
The IDs of the subnets included in the group. |
custom_invalidation(self)
inherited
A list of manual reasons why this resource should be invalidated
exclude_from_invalidation(self)
inherited
A list of attributes that should be excluded from the invalidation process
RedshiftLogging (AwsResource)
Attributes:
| Name | Type | Description |
|---|---|---|
cluster_identifier |
str |
The ID for the Redshift cluster. |
s3_bucket |
Optional[str] |
The S3 bucket name which the Redshift logs should be stored at. |
s3_prefix |
Optional[str] |
A prefix string to be applied to the log file names. |
logging_enabled |
bool |
Indication if the logs are enabled for the Redshift cluster. |
custom_invalidation(self)
inherited
A list of manual reasons why this resource should be invalidated
exclude_from_invalidation(self)
inherited
A list of attributes that should be excluded from the invalidation process