Merge pull request #130 from cloudgraphdev/fix/CG-1331-aws-pci-asg-1

tyler-dunkel · web-flow · commit d0c1fc5c5cdf · 2023-03-05T15:11:40.000-06:00
fix(CG-1331): fix aws pci asg rule
diff --git a/src/aws/pci-dss-3.2.1/rules/pci-dss-3.2.1-autoscaling-check-1.ts b/src/aws/pci-dss-3.2.1/rules/pci-dss-3.2.1-autoscaling-check-1.ts
@@ -43,15 +43,17 @@ export default {
   resource: 'queryawsAsg[*]',
   severity: 'low',
   conditions: {
-    and: [
-      {
-        path: '@.healthCheckType',
-        equal: 'ELB',
-      },
-      {
-        path: '@.loadBalancerNames',
-        isEmpty: false,
-      },
-    ],
+    not: {
+      and: [
+        {
+          path: '@.healthCheckType',
+          equal: 'EC2',
+        },
+        {
+          path: '@.loadBalancerNames',
+          isEmpty: false,
+        },
+      ]
+    },
   },
 }
diff --git a/src/aws/pci-dss-3.2.1/tests/pci-dss-3.2.1-autoscaling-checks.test.ts b/src/aws/pci-dss-3.2.1/tests/pci-dss-3.2.1-autoscaling-checks.test.ts
@@ -10,7 +10,7 @@ describe('PCI Data Security Standard: 3.2.1', () => {
     rulesEngine = initRuleEngine('aws', 'PCI')
   })
   describe('Autoscaling Check 1: Auto Scaling groups associated with a load balancer should use health checks', () => {
-    test('Should fail when it contains an invalid health check type and zero load balancers', async () => {
+    test('Should pass when it contains an invalid health check type and zero load balancers', async () => {
       const data = {
         queryawsAsg: [
           {
@@ -26,10 +26,29 @@ describe('PCI Data Security Standard: 3.2.1', () => {
         { ...data } as any
       )
 
+      expect(processedRule.result).toBe(Result.PASS)
+    })
+
+    test('Should fail when it contains an invalid health check type and at least one load balancer', async () => {
+      const data = {
+        queryawsAsg: [
+          {
+            id: cuid(),
+            loadBalancerNames: ['alb_1', 'alb2'],
+            healthCheckType: 'EC2',
+          },
+        ],
+      }
+
+      const [processedRule] = await rulesEngine.processRule(
+        Aws_PCI_DSS_321_Autoscaling_1 as Rule,
+        { ...data } as any
+      )
+
       expect(processedRule.result).toBe(Result.FAIL)
     })
 
-    test('Should fail when it contains a valid health check type and zero load balancers', async () => {
+    test('Should pass when it contains a valid health check type and zero load balancers', async () => {
       const data = {
         queryawsAsg: [
           {
@@ -45,7 +64,7 @@ describe('PCI Data Security Standard: 3.2.1', () => {
         { ...data } as any
       )
 
-      expect(processedRule.result).toBe(Result.FAIL)
+      expect(processedRule.result).toBe(Result.PASS)
     })
 
     test('Should pass when it contains a valid health check type and at least one load balancer', async () => {
