Merge pull request #32 from aws-solutions/release/v1.0.11

Release v1.0.11

CHANGELOG.md

@@ -5,6 +5,23 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.0.11] - 2024-9
+
+### Fixed
+
+- Added support for keys `aws:SourceOrgID`, `aws:SourceOrgPaths` in policy conditions
+
+### Updated dependencies
+
+- `moto` from v4.x to v5.x for python unit tests
+- `micromatch` to mitigate [CVE-2024-4067](https://avd.aquasec.com/nvd/cve-2024-4067)
+- `webpack` to mitigate [CVE-2024-43788](https://avd.aquasec.com/nvd/cve-2024-43788)
+- `express` to mitigate [CVE-2024-43796](https://avd.aquasec.com/nvd/cve-2024-43796)
+- `send` to mitigate [CVE-2024-43799 ](https://avd.aquasec.com/nvd/cve-2024-43799)
+- `serve-static` to mitigate [CVE-2024-43800](https://avd.aquasec.com/nvd/cve-2024-43800)
+- `path-to-regexp` to mitigate [CVE-2024-45296](https://avd.aquasec.com/nvd/cve-2024-45296)
+- `body-parser` to mitigate [CVE-2024-45590](https://avd.aquasec.com/nvd/cve-2024-45590)
+
 ## [1.0.10] - 2024-8
 
 - Upgrade `axios` to mitigate [CVE-2024-39338](https://nvd.nist.gov/vuln/detail/CVE-2024-39338)

source/lambda/aws/services/api_gateway.py

@@ -12,7 +12,6 @@
 from aws_lambda_powertools import Logger
 from mypy_boto3_apigateway.type_defs import RestApiResponseTypeDef
 
-
 class APIGateway:
     def __init__(self, account_id, region):
         self.logger = Logger(service=self.__class__.__name__, level=getenv('LOG_LEVEL'))

source/lambda/resource_based_policy/step_functions_lambda/check_policy_for_organizations_dependency.py

@@ -1,9 +1,10 @@
-# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
-# SPDX-License-Identifier: Apache-2.0
+#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  SPDX-License-Identifier: Apache-2.0
 import json
+from os import getenv
+
 from aws_lambda_powertools import Logger
 from mypy_boto3_serverlessrepo.type_defs import ApplicationPolicyStatementTypeDef
-from os import getenv
 
 from resource_based_policy.resource_based_policy_model import PolicyAnalyzerRequest, \
     PolicyAnalyzerResponse
@@ -13,6 +14,8 @@
 AWS_RESOURCE_ORG_ID = "aws:ResourceOrgID"
 AWS_PRINCIPAL_ORG_PATHS = "aws:PrincipalOrgPaths"
 AWS_PRINCIPAL_ORG_ID = "aws:PrincipalOrgID"
+AWS_SOURCE_ORG_PATHS = "aws:SourceOrgPaths"
+AWS_SOURCE_ORG_ID = "aws:SourceOrgID"
 
 
 class CheckForOrganizationsDependency:
@@ -31,6 +34,8 @@ def scan(self, policies: list[PolicyAnalyzerRequest]) -> list[PolicyAnalyzerResp
                 self._check_for_principal_org_paths(resource)
                 self._check_for_resource_org_id(resource)
                 self._check_for_resource_org_paths(resource)
+                self._check_for_source_org_id(resource)
+                self._check_for_source_org_paths(resource)
 
         response = [item for sub_item, item in enumerate(self.resources_dependent_on_organizations) if item not in
                     self.resources_dependent_on_organizations[sub_item + 1:]]
@@ -63,6 +68,16 @@ def _check_for_resource_org_paths(self, resource):
             self.logger.debug("Found ResourceOrgPaths in the policy")
             self.process_statement_in_policy(resource)
 
+    def _check_for_source_org_id(self, resource):
+        if AWS_SOURCE_ORG_ID.lower() in resource['Policy'].lower():
+            self.logger.debug("Found SourceOrgID in the policy")
+            self.process_statement_in_policy(resource)
+
+    def _check_for_source_org_paths(self, resource):
+        if AWS_SOURCE_ORG_PATHS.lower() in resource['Policy'].lower():
+            self.logger.debug("Found SourceOrgPaths in the policy")
+            self.process_statement_in_policy(resource)
+
     def process_statement_in_policy(self, resource):
         self.logger.debug(resource)
         policy_statement = json.loads(resource['Policy']).get('Statement')
@@ -88,7 +103,9 @@ def process_condition_in_statement(self, resource_name, statement):
                         AWS_PRINCIPAL_ORG_ID.lower(),
                         AWS_PRINCIPAL_ORG_PATHS.lower(),
                         AWS_RESOURCE_ORG_ID.lower(),
-                        AWS_RESOURCE_ORG_PATHS.lower()
+                        AWS_RESOURCE_ORG_PATHS.lower(),
+                        AWS_SOURCE_ORG_ID.lower(),
+                        AWS_SOURCE_ORG_PATHS.lower()
                     ]:
                         policy_response: PolicyAnalyzerResponse = {
                             "ResourceName": resource_name,

source/lambda/testing_requirements.txt

@@ -1,5 +1,34 @@
 mock==5.1.0
-moto==4.2.6
+moto==5.0.14
+boto3-stubs[essential]~=1.34.0
+moto[sts]~=5.0.14
+moto[organizations]~=5.0.14
+moto[stepfunctions]~=5.0.14
+moto[s3]~=5.0.14
+moto[glacier]~=5.0.14
+moto[iam]~=5.0.14
+moto[sns]~=5.0.14
+moto[sqs]~=5.0.14
+moto[lambda]~=5.0.14
+moto[efs]~=5.0.14
+moto[secretsmanager]~=5.0.14
+moto[iot]~=5.0.14
+moto[kms]~=5.0.14
+moto[apigateway]~=5.0.14
+moto[events]~=5.0.14
+moto[sesv2]~=5.0.14
+moto[ecr]~=5.0.14
+moto[config]~=5.0.14
+moto[ssm-incidents]~=5.0.14
+moto[opensearch]~=5.0.14
+moto[cloudformation]~=5.0.14
+moto[glue]~=5.0.14
+moto[serverlessrepo]~=5.0.14
+moto[backup]~=5.0.14
+moto[codeartifact]~=5.0.14
+moto[codebuild]~=5.0.14
+moto[mediastore]~=5.0.14
+moto[ec2]~=5.0.14
 pytest==7.4.2
 pytest-mock==3.12.0
 pytest-runner==6.0.0

source/lambda/tests/conftest.py

@@ -1,13 +1,13 @@
-# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
-# SPDX-License-Identifier: Apache-2.0
+#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  SPDX-License-Identifier: Apache-2.0
 
 import os
 from os import environ
 
 import boto3
 import pytest
 from aws_lambda_powertools import Logger
-from moto import mock_organizations, mock_dynamodb, mock_stepfunctions, mock_s3, mock_iam, mock_glacier
+from moto import mock_aws
 
 from utils.base_repository import Clock
 
@@ -28,50 +28,50 @@ def aws_credentials():
 @pytest.fixture
 def org_client(aws_credentials):
     """Organizations Mock Client"""
-    with mock_organizations():
+    with mock_aws():
         connection = boto3.client("organizations", region_name="us-east-1")
         yield connection
 
 
 @pytest.fixture(scope='module')
 def dynamodb_client_resource(aws_credentials):
     """DDB Mock Client"""
-    with mock_dynamodb():
+    with mock_aws():
         connection = boto3.resource("dynamodb")
         yield connection
 
 
 @pytest.fixture(scope='module')
 def stepfunctions_client(aws_credentials):
-    with mock_stepfunctions():
+    with mock_aws():
         connection = boto3.client("stepfunctions", region_name="us-east-1")
         yield connection
 
 
 @pytest.fixture(scope='module')
 def iam_client(aws_credentials):
-    with mock_iam():
+    with mock_aws():
         connection = boto3.client("iam", region_name="us-east-1")
         yield connection
 
 
 @pytest.fixture(scope='module')
 def s3_client(aws_credentials):
-    with mock_s3():
+    with mock_aws():
         connection = boto3.client("s3", region_name="us-east-1")
         yield connection
 
 
 @pytest.fixture(scope='module')
 def s3_client_resource(aws_credentials):
-    with mock_s3():
+    with mock_aws():
         connection = boto3.resource("s3", region_name="us-east-1")
         yield connection
 
 
 @pytest.fixture(scope='module')
 def glacier_client(aws_credentials):
-    with mock_glacier():
+    with mock_aws():
         connection = boto3.client("glacier", region_name="us-east-1")
         yield connection
 

source/lambda/tests/test_aws_services/test_assume_role.py

@@ -1,15 +1,15 @@
-# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
-# SPDX-License-Identifier: Apache-2.0
+#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  SPDX-License-Identifier: Apache-2.0
 
 from aws_lambda_powertools import Logger
-from moto import mock_sts
+from moto import mock_aws
 
 from aws.services.security_token_service import SecurityTokenService
 
 logger = Logger(level="info")
 
 
-@mock_sts
+@mock_aws
 def test_assume_role_in_same_account(organizations_setup):
     # ARRANGE
     sts = SecurityTokenService()
@@ -25,7 +25,7 @@ def test_assume_role_in_same_account(organizations_setup):
     assert "Expiration" in credentials.keys()
 
 
-@mock_sts
+@mock_aws
 def test_assume_role_in_different_account(org_client, organizations_setup):
     # ARRANGE
     sts = SecurityTokenService()

source/lambda/tests/test_aws_services/test_organizations.py

@@ -1,15 +1,15 @@
-# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
-# SPDX-License-Identifier: Apache-2.0
+#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  SPDX-License-Identifier: Apache-2.0
 
 from aws_lambda_powertools import Logger
-from moto import mock_sts
+from moto import mock_aws
 
 from aws.services.organizations import Organizations
 
 logger = Logger(level="info")
 
 
-@mock_sts
+@mock_aws
 def test_get_active_accounts(organizations_setup):
     # ARRANGE
     all_accounts = Organizations().list_accounts()
@@ -21,7 +21,7 @@ def test_get_active_accounts(organizations_setup):
     assert len(all_accounts) == len(accounts)
 
 
-@mock_sts
+@mock_aws
 def test_exclude_suspended_accounts(org_client, organizations_setup):
     # ARRANGE
     all_accounts = Organizations().list_accounts()

source/lambda/tests/test_aws_services/test_step_functions.py

@@ -1,14 +1,17 @@
+#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  SPDX-License-Identifier: Apache-2.0
+
 import os
 import re
 from datetime import datetime
 
-from moto import mock_sts
+from moto import mock_aws
 from moto.core import DEFAULT_ACCOUNT_ID as ACCOUNT_ID
 
 from aws.services.step_functions import StepFunctions
 
 
-@mock_sts
+@mock_aws
 def test_state_machine_start_execution(stepfunctions_client, organizations_setup):
     # ARRANGE
     region = "us-east-1"

source/lambda/tests/test_delegated_admin/test_scan_for_delegated_admins.py

@@ -1,17 +1,17 @@
-# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
-# SPDX-License-Identifier: Apache-2.0
+#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  SPDX-License-Identifier: Apache-2.0
 import uuid
 
 from aws_lambda_powertools import Logger
-from moto import mock_sts
+from moto import mock_aws
 
 from delegated_admins.scan_for_delegated_admins import \
     DelegatedAdminsStrategy
 
 logger = Logger(level="info")
 
 
-@mock_sts
+@mock_aws
 def test_delegated_admin_account_scan(org_client, organizations_setup):
     # ARRANGE
     dev_account_id = organizations_setup['dev_account_id']

source/lambda/tests/test_deploy_webui/test_webui_deployment.py

@@ -1,12 +1,10 @@
-# !/bin/python
-# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
-# SPDX-License-Identifier: Apache-2.0
+#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  SPDX-License-Identifier: Apache-2.0
 import json
 from os import environ
 
 import pytest
-from aws_lambda_powertools.utilities.typing import LambdaContext
-from moto import mock_s3
+from moto import mock_aws
 from mypy_boto3_s3 import S3ServiceResource
 
 from aws.services.s3 import S3
@@ -34,7 +32,7 @@ def describe_webui_deploy():
     environ['AWS_SECURITY_TOKEN'] = 'testing'
     environ['AWS_SESSION_TOKEN'] = 'testing'
 
-    @mock_s3
+    @mock_aws
     def test_webui_files_are_copied_and_config_is_generated():
         # ARRANGE
         web_ui_deployer = WebUIDeployer()
@@ -73,7 +71,7 @@ def test_webui_files_are_copied_and_config_is_generated():
         generated_config_filename = "aws-exports-generated.json"
         assert generated_config_filename in keys
 
-    @mock_s3
+    @mock_aws
     def test_lambda_handler_throws_no_such_bucket():
         # ARRANGE