cloud-gov/caulking

caulking should alert on ARNs (AWS Resources)

Opened this issue · 1 comments


Security considerations

[note any potential changes to security boundaries, practices, documentation, risk that arise directly from this story]

ARN format:

arn:partition:service:region:account-id:resource-id
arn:partition:service:region:account-id:resource-type/resource-id
arn:partition:service:region:account-id:resource-type:resource-id

so we should have a regex something like:
arn:aws(-us-gov|-cn)?:[^:]+:[^:]*:\d{12}:[^:\s]+
need to double-check whether it's guaranteed that account ids are 12 numeric digits