Cloud-custodian: Using Glue Catalog in cloud-trail mode for PutResourcePolicy event

Created on 5 Jun 2020  路  4Comments  路  Source: cloud-custodian/cloud-custodian

I don't know if this is a bug per-se, maybe its by design. It could be considered an enhancement request. There are certain actions like PutResourcePolicy that do not provide the catalogId in the event body. I have tried using the account id in place of it as I understand they can be interchangeable but it will filter down to 0 resources matched. Unlike if I was doing a polling policy.

https://docs.aws.amazon.com/glue/latest/webapi/API_PutResourcePolicy.html

Example Policy

  - name: net-change-rbp-cross-account
    resource: aws.glue-catalog
    mode:
      type: cloudtrail
      role: arn:aws:iam::644160558196:role/fakerole
      events:
        - source: glue.amazonaws.com
          event: PutResourcePolicy
          ids: account
    filters:
      - type: cross-account
    actions:
      - type: notify
        to: 
          - [email protected]
        transport:
          type: sns
          topic: arn:aws:sns:us-east-1:644160558196:faketopic

Sample event

{
  "version": "0",
  "id": "4186524f-f288-ecb2-0052-fwdqdfwdq",
  "detail-type": "AWS API Call via CloudTrail",
  "source": "aws.glue",
  "account": "644160558196",
  "time": "2020-06-04T15:18:28Z",
  "region": "us-east-1",
  "resources": [],
  "detail": {
    "eventVersion": "1.05",
    "userIdentity": {
      "type": "IAMUser",
      "principalId": "sdafadsfdsaf",
      "arn": "arn:aws:iam::644160558196:user/[email protected]",
      "accountId": "644160558196",
      "accessKeyId": "dfwdfqfdqwf",
      "userName": "[email protected]",
      "sessionContext": {
        "sessionIssuer": {},
        "webIdFederationData": {},
        "attributes": {
          "mfaAuthenticated": "false",
          "creationDate": "2020-06-04T15:06:07Z"
        }
      }
    },
    "eventTime": "2020-06-04T15:18:28Z",
    "eventSource": "glue.amazonaws.com",
    "eventName": "PutResourcePolicy",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "99.99.99.99",
    "userAgent": "console.amazonaws.com",
    "requestParameters": {
      "policyHashCondition": "ggigiigpjjjoppjojpo==",
      "policyInJson": "{\n  \"Version\" : \"2012-10-17\",\n  \"Statement\" : [ {\n    \"Effect\" : \"Allow\",\n    \"Principal\" : \"*\",\n    \"Action\" : \"glue:*\",\n    \"Resource\" : \"arn:aws:glue:us-east-1:644160558196:catalog\",\n    \"Condition\": {\n        \"StringEquals\": {\n            \"aws:PrincipalOrgID\": \"o-4amkskbcf3\"\n        }        \n    }\n  } ]\n}"
    },
    "responseElements": {
      "policyHash": "fghfhgfhgfgh=="
    },
    "requestID": "562ac246-0da8-4eb7-143tt431t-7053b5ecf789",
    "eventID": "ttityitiit-9b01-13t4113-a1db-57f55e636789",
    "eventType": "AwsApiCall"
  },
  "debug": true
}
kinbug kinquestion

Most helpful comment

the solution would be a change to the catalog resource to implement a match_ids, get_resources method that always returns a resource. similar to how the synthetic resource aws.account works.

All 4 comments

the solution would be a change to the catalog resource to implement a match_ids, get_resources method that always returns a resource. similar to how the synthetic resource aws.account works.

Thanks for the guidance @kapilt! I followed the trail to that match_ids method call from policy.py and didn鈥檛 even think of overriding. It was late and a long day :) I鈥檒l throw a pr up today to address.

Thanks @JohnHillegass and @kapilt !

Hey @PratMis and @kapilt, I have submitted PR #5841 to address this

Was this page helpful?
0 / 5 - 0 ratings

Related issues

zfLQ2qx2 picture zfLQ2qx2  路  3Comments

justinhauer picture justinhauer  路  4Comments

nitrocode picture nitrocode  路  4Comments

cmedley picture cmedley  路  4Comments

kapilt picture kapilt  路  3Comments