Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

adding in the needed rules and cleaning up the debug info from the code #256

Merged
merged 1 commit into from
Dec 3, 2024
Merged

adding in the needed rules and cleaning up the debug info from the code #256

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 25 additions & 4 deletions bosh/opsfiles/rules.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,14 +42,35 @@
value:
name: aws-iam-check-keys
rules:
- alert: AWSIAMCheckKeys
expr: stale_key_num > 0
- alert: OperatorsStaleKeyWarning
expr: last_rotated_days{user_type="Operator"} >= 75 and last_rotated_days{user_type="Operator"} < 90
labels:
service: aws-iam
severity: warning
annotations:
summary: AWS IAM user {{$labels.user}} has stale IAM Key(s)
description: Look up the procedures for rotating the access keys
summary: IAM key for {$labels.user} will be expired within the next 15 days
description: "For Operators if the expiration is within 15 days\n"
- alert: PlatformApplicationStaleKeyWarning
expr: last_rotated_days{user_type="Platform"} >= 80 and last_rotated_days{user_type="Platform"} < 165 or last_rotated_days{user_type="Application"} >= 80 and last_rotated_days{user_type="Application"} < 165
labels:
severity: warning
annotations:
summary: IAM key for Platform or Application {$labels.user} will be expired within the next 15 days
description: "For Platform or Applications if the expiration is within 85 days\n"
- alert: OperatorsStaleKeyViolation
expr: last_rotated_days{user_type="Operator"} >= 90
labels:
severity: critical
annotations:
summary: IAM key for {$labels.user} is now expired
description: "For Operators if the key is expired\n"
- alert: PlatformApplicationStaleKeyViolation
expr: last_rotated_days{user_type="Platform"} >= 165 or last_rotated_days{user_type="Application"} >= 165
labels:
severity: critical
annotations:
summary: IAM key for {$labels.user} is now expired
description: "For Platform or Applications if the key is expired\n"

# CloudWatch logs alerts
- type: replace
Expand Down
7 changes: 1 addition & 6 deletions ci/aws-iam-check-keys/find_stale_keys.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -289,7 +289,6 @@ def del_key(key_dict: dict):
are stale
"""
gateway = f'{env.str("GATEWAY_HOST")}:{env.int("GATEWAY_PORT", 9091)}'
print(f'gateway in del_key is: {gateway}')
del key_dict["days_since_rotation"]
del key_dict["last_rotated"]
del key_dict["key_num"]
Expand All @@ -304,13 +303,9 @@ def send_key(key_dict: dict, severity: str):
Send the key(s) to the pushgateway client to let it determine if they
are stale
"""
gateway = f"{env.str('GATEWAY_HOST')}:9091"
#print(gateway_test)
#gateway = f"{env.str('GATEWAY_HOST')}:{env.int('GATEWAY_PORT', 9091)}"
print(f"gateway in send_key: {gateway}")
gateway = f"{env.str('GATEWAY_HOST')}:{env.int('GATEWAY_PORT', 9091)}"
registry = CollectorRegistry()
days_since_rotation = key_dict["days_since_rotation"]
# user_type = key_dict["user_type"]
del key_dict["days_since_rotation"]

key_info = Gauge(
Expand Down
Loading