Hi There.
I am writing this sentinel policy to control permissions on the aws_endpoint and/or aws_endpoint_policy, then I find that aws_endpoint_policy is not compatible in all regions and to know if there is compatibility, I must ask AWS running this command: describe-vpc-endpoint-services, does anyone know how I can integrate the output of that command in a sentinel policy?
It looks like you can dump the output of the command to JSON and Sentinel has a static import that can be used to import the contents of a JSON file into the scope of a policy. You could probably place the JSON file side-by-side with your policy in VCS and reference the region data within.
Thanks @hcrhall I have been exploring that option, but what I don’t know is how to evaluate the resource by executing the CLI command in real time from the Sentinel policy.
basically I have to evaluate if the policy is supported (VpcEndpointPolicySupported": false or True") before proceeding with something like this.
in this code I am checking which aws_endpoint has an associated policy aws_endpoint_policy
for allvpcep_pol as change, rc {
check_policy = rc.config.vpc_endpoint_id.references[1]
for allvpcep as address, d {
if check_policy == address {
print(“This policy “, change,” has been defined for This End_Point”, address)
} else {
print(“this -->”, address, " has not a policy defined")
}
}
}
Sentinel cannot execute CLI commands.
I was thinking was that you could perhaps have a nightly job that runs the CLI command and writes the output to a file that is imported either as JSON or you could use the HTTP import to GET the contents of the file.
Alternatively you could use a workflow automation platform like Pipedream that exposes an HTTP endpoint that returns a JSON response.
@hcrhall thank you for taking the time to reply