From b72f1ca28f42d387fa079663dec52676cf007c61 Mon Sep 17 00:00:00 2001 From: Matthias Veit Date: Tue, 14 May 2024 11:45:13 +0200 Subject: [PATCH] [fix] SSM compliance (#13) * [fix] SSM compliance --- .github/workflows/publish.yml | 2 +- fixcompliance/data/checks/aws/aws_ssm.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 3826b42..53f529f 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -49,7 +49,7 @@ jobs: packages_dir: ./dist/ - name: Trigger workflow in fixinventory repo - if: ${{ github.actor != 'someci' }} + if: github.ref_type == 'tag' && github.actor != 'someci' env: GITHUB_TOKEN: ${{ secrets.SOME_CI_PAT }} run: | diff --git a/fixcompliance/data/checks/aws/aws_ssm.json b/fixcompliance/data/checks/aws/aws_ssm.json index cd759cd..37f2aa7 100644 --- a/fixcompliance/data/checks/aws/aws_ssm.json +++ b/fixcompliance/data/checks/aws/aws_ssm.json @@ -106,7 +106,7 @@ "risk": "Non-compliance of AWS resources (EC2, DynamoDB, SSM, S3) with AWS Systems Manager policies could expose security vulnerabilities, and incite operational inconsistencies. This could infringe regulatory compliance laws risking system integrity, data safety, and reliability.", "severity": "high", "detect": { - "fix": "is(aws_ssm_resource_compliance) --> is(aws_ec2_instance, aws_dynamodb_table, aws_ssm_document, aws_s3_bucket)" + "fix": "is(aws_ssm_resource_compliance) and status=NON_COMPLIANT --> is(aws_ec2_instance, aws_dynamodb_table, aws_ssm_document, aws_s3_bucket)" }, "remediation": { "text": "To rectify non-compliance, identify the unmet AWS Systems Manager standards for each resource. Ensure proper setup of SSM Agent for EC2 instances, verify table settings for DynamoDB against best practices, fix S3 bucket's access controls and encryption settings. Enforce compliance policies, perform consistent audits, and leverage AWS Systems Manager automation to mend non-compliant resources.",