Merge pull request #131 from cloudgraphdev/fix/CG-1332-aws-pci-ec2-check-1

tyler-dunkel · web-flow · commit ed3be7b5ef96 · 2023-03-05T15:12:12.000-06:00
fix(CG-1332): fix aws pci ec2 check 1
diff --git a/src/aws/pci-dss-3.2.1/rules/pci-dss-3.2.1-ec2-check-1.ts b/src/aws/pci-dss-3.2.1/rules/pci-dss-3.2.1-ec2-check-1.ts
@@ -43,7 +43,7 @@ export default {
     'https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html',
   ],
   gql: `{
-    queryawsEbs {
+    queryawsEbsSnapshot {
       id
       arn
       accountId
@@ -54,13 +54,13 @@ export default {
       }
     }
   }`,
-  resource: 'queryawsEbs[*]',
+  resource: 'queryawsEbsSnapshot[*]',
   severity: 'low',
   conditions: {
-    and: [
+    or:[
       {
         path: '@.permissions',
-        isEmpty: false,
+          isEmpty: true,
       },
       {
         path: '@.permissions',
@@ -73,7 +73,7 @@ export default {
             },
           ],
         },
-      },
-    ],
+      }
+    ]
   },
 }
diff --git a/src/aws/pci-dss-3.2.1/tests/pci-dss-3.2.1-ec2-checks.test.ts b/src/aws/pci-dss-3.2.1/tests/pci-dss-3.2.1-ec2-checks.test.ts
@@ -40,7 +40,7 @@ describe('PCI Data Security Standard: 3.2.1', () => {
   describe('EC2 Check 1: Amazon EBS snapshots should not be publicly restorable', () => {
     test('Should pass when group is not set to all and it has a user id', async () => {
       const data = {
-        queryawsEbs: [
+        queryawsEbsSnapshot: [
           {
             id: cuid(),
             permissions: [
@@ -63,7 +63,7 @@ describe('PCI Data Security Standard: 3.2.1', () => {
 
     test('Should fail when group is set to all', async () => {
       const data = {
-        queryawsEbs: [
+        queryawsEbsSnapshot: [
           {
             id: cuid(),
             permissions: [
@@ -86,7 +86,7 @@ describe('PCI Data Security Standard: 3.2.1', () => {
 
     test('Should fail when group is not set to all, but it has not a user id', async () => {
       const data = {
-        queryawsEbs: [
+        queryawsEbsSnapshot: [
           {
             id: cuid(),
             permissions: [
@@ -109,7 +109,7 @@ describe('PCI Data Security Standard: 3.2.1', () => {
 
     test('Should fail when it does not have configured permissions', async () => {
       const data = {
-        queryawsEbs: [
+        queryawsEbsSnapshot: [
           {
             id: cuid(),
             permissions: [],
@@ -122,7 +122,7 @@ describe('PCI Data Security Standard: 3.2.1', () => {
         { ...data } as any
       )
 
-      expect(processedRule.result).toBe(Result.FAIL)
+      expect(processedRule.result).toBe(Result.PASS)
     })
   })
 
