Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add new controls in all_controls benchmark #736

Merged
merged 26 commits into from
Jan 4, 2024
Merged

Add new controls in all_controls benchmark #736

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
4cb9b50
add new queries
khushboo9024 Nov 29, 2023
56eb582
add sns queries
khushboo9024 Nov 29, 2023
756534e
update
khushboo9024 Nov 29, 2023
9d2029c
update
khushboo9024 Nov 30, 2023
a1cf33b
update
khushboo9024 Nov 30, 2023
47f8273
update
khushboo9024 Nov 30, 2023
aba2546
update
khushboo9024 Dec 2, 2023
0e780d2
add controls
khushboo9024 Dec 3, 2023
302c3a5
update
khushboo9024 Dec 3, 2023
771a33e
update
khushboo9024 Dec 3, 2023
221db8c
update
khushboo9024 Dec 3, 2023
7d6dc51
update
khushboo9024 Dec 3, 2023
18a96f2
update
khushboo9024 Dec 3, 2023
f74e3e3
add new queries
khushboo9024 Dec 6, 2023
a8a9431
update
khushboo9024 Dec 6, 2023
d0c00f0
add new queries
khushboo9024 Dec 6, 2023
8cffba8
update
khushboo9024 Dec 6, 2023
fbc7109
update
khushboo9024 Dec 8, 2023
258f6e7
update
khushboo9024 Dec 8, 2023
cd5b477
update
khushboo9024 Dec 8, 2023
f3428fc
sort controls
khushboo9024 Dec 14, 2023
9944109
update
khushboo9024 Dec 14, 2023
3ab356e
update
khushboo9024 Dec 18, 2023
139dd8f
reolve merge conflict
khushboo9024 Dec 18, 2023
6ee5fe7
update
madhushreeray30 Jan 4, 2024
d86d93e
update
madhushreeray30 Jan 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions all_controls/acm.sp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,10 @@ benchmark "all_controls_acm" {
description = "This section contains recommendations for configuring ACM resources."
children = [
control.acm_certificate_expires_30_days,
control.acm_certificate_no_failed_certificate,
control.acm_certificate_no_pending_validation_certificate,
control.acm_certificate_no_wildcard_domain_name,
control.acm_certificate_not_expired,
control.acm_certificate_transparency_logging_enabled
]

Expand Down
1 change: 1 addition & 0 deletions all_controls/cloudfront.sp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ benchmark "all_controls_cloudfront" {
control.cloudfront_distribution_encryption_in_transit_enabled,
control.cloudfront_distribution_field_level_encryption_enabled,
control.cloudfront_distribution_geo_restrictions_enabled,
control.cloudfront_distribution_latest_tls_version,
control.cloudfront_distribution_logging_enabled,
control.cloudfront_distribution_no_deprecated_ssl_protocol,
control.cloudfront_distribution_no_non_existent_s3_origin,
Expand Down
2 changes: 2 additions & 0 deletions all_controls/cloudtrail.sp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,13 +11,15 @@ benchmark "all_controls_cloudtrail" {
control.cloudtrail_bucket_not_public,
control.cloudtrail_multi_region_read_write_enabled,
control.cloudtrail_multi_region_trail_enabled,
control.cloudtrail_multi_region_trail_integrated_with_logs,
control.cloudtrail_s3_data_events_enabled,
control.cloudtrail_s3_logging_enabled,
control.cloudtrail_s3_object_read_events_audit_enabled,
control.cloudtrail_s3_object_write_events_audit_enabled,
control.cloudtrail_security_trail_enabled,
control.cloudtrail_trail_bucket_mfa_enabled,
control.cloudtrail_trail_enabled,
control.cloudtrail_trail_enabled_account,
control.cloudtrail_trail_insight_selectors_and_logging_enabled,
control.cloudtrail_trail_integrated_with_logs,
control.cloudtrail_trail_logs_encrypted_with_kms_cmk,
Expand Down
1 change: 1 addition & 0 deletions all_controls/config.sp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ benchmark "all_controls_config" {
title = "Config"
description = "This section contains recommendations for configuring Config resources."
children = [
control.config_configuration_recorder_no_failed_deliver_logs,
control.config_enabled_all_regions
]

Expand Down
1 change: 1 addition & 0 deletions all_controls/docdb.sp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ benchmark "all_controls_docdb" {
description = "This section contains recommendations for configuring DocumentDB resources."
children = [
control.docdb_cluster_backup_retention_period_7_days,
control.docdb_cluster_deletion_protection_enabled,
control.docdb_cluster_encryption_at_rest_enabled,
control.docdb_cluster_instance_encryption_at_rest_enabled,
control.docdb_cluster_instance_logging_enabled
Expand Down
20 changes: 20 additions & 0 deletions all_controls/ec2.sp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,26 @@ benchmark "all_controls_ec2" {
control.ec2_instance_in_vpc,
control.ec2_instance_no_amazon_key_pair,
control.ec2_instance_no_high_level_finding_in_inspector_scan,
control.ec2_instance_no_iam_passrole_and_lambda_invoke_function_access,
control.ec2_instance_no_iam_role_attached_with_credentials_exposure_access,
control.ec2_instance_no_iam_role_with_alter_critical_s3_permissions_configuration,
control.ec2_instance_no_iam_role_with_cloud_log_tampering_access,
control.ec2_instance_no_iam_role_with_data_destruction_access,
control.ec2_instance_no_iam_role_with_database_management_write_access,
control.ec2_instance_no_iam_role_with_defense_evasion_impact_of_aws_security_services_access,
control.ec2_instance_no_iam_role_with_destruction_kms_access,
control.ec2_instance_no_iam_role_with_destruction_rds_access,
control.ec2_instance_no_iam_role_with_elastic_ip_hijacking_access,
control.ec2_instance_no_iam_role_with_management_level_access,
control.ec2_instance_no_iam_role_with_new_group_creation_with_attached_policy_access,
control.ec2_instance_no_iam_role_with_new_role_creation_with_attached_policy_access,
control.ec2_instance_no_iam_role_with_new_user_creation_with_attached_policy_access,
control.ec2_instance_no_iam_role_with_org_write_access,
control.ec2_instance_no_iam_role_with_privilege_escalation_risk_access,
control.ec2_instance_no_iam_role_with_security_group_write_access,
control.ec2_instance_no_iam_role_with_write_access_to_resource_based_policies,
control.ec2_instance_no_iam_role_with_write_permission_on_critical_s3_configuration,
control.ec2_instance_no_iam_with_write_level_access,
control.ec2_instance_no_launch_wizard_security_group,
control.ec2_instance_not_publicly_accessible,
control.ec2_instance_not_use_multiple_enis,
Expand Down
2 changes: 2 additions & 0 deletions all_controls/ecs.sp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ benchmark "all_controls_ecs" {
control.ecs_cluster_container_instance_agent_connected,
control.ecs_cluster_encryption_at_rest_enabled,
control.ecs_cluster_instance_in_vpc,
control.ecs_cluster_no_active_services_count,
control.ecs_cluster_no_registered_container_instance,
control.ecs_service_fargate_using_latest_platform_version,
control.ecs_service_load_balancer_attached,
Expand All @@ -21,6 +22,7 @@ benchmark "all_controls_ecs" {
control.ecs_task_definition_container_readonly_root_filesystem,
control.ecs_task_definition_logging_enabled,
control.ecs_task_definition_no_host_pid_mode,
control.ecs_task_definition_no_root_user,
control.ecs_task_definition_user_for_host_mode_check
]

Expand Down
1 change: 1 addition & 0 deletions all_controls/eks.sp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ benchmark "all_controls_eks" {
control.eks_cluster_endpoint_public_access_restricted,
control.eks_cluster_endpoint_restrict_public_access,
control.eks_cluster_no_default_vpc,
control.eks_cluster_no_multiple_security_groups,
control.eks_cluster_secrets_encrypted,
control.eks_cluster_with_latest_kubernetes_version
]
Expand Down
1 change: 1 addition & 0 deletions all_controls/elasticache.sp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ benchmark "all_controls_elasticache" {
control.elasticache_redis_cluster_automatic_backup_retention_15_days,
control.elasticache_replication_group_auto_failover_enabled,
control.elasticache_replication_group_encryption_at_rest_enabled,
control.elasticache_replication_group_encryption_at_rest_enabled_with_kms_cmk,
control.elasticache_replication_group_encryption_in_transit_enabled,
control.elasticache_replication_group_redis_auth_enabled
]
Expand Down
2 changes: 2 additions & 0 deletions all_controls/elb.sp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,10 @@ benchmark "all_controls_elb" {
control.elb_classic_lb_cross_zone_load_balancing_enabled,
control.elb_classic_lb_desync_mitigation_mode,
control.elb_classic_lb_multiple_az_configured,
control.elb_classic_lb_no_registered_instance,
control.elb_classic_lb_use_ssl_certificate,
control.elb_classic_lb_use_tls_https_listeners,
control.elb_classic_lb_with_inbound_rule,
control.elb_classic_lb_with_outbound_rule,
control.elb_listener_use_secure_ssl_cipher,
control.elb_network_lb_tls_listener_security_policy_configured,
Expand Down
3 changes: 2 additions & 1 deletion all_controls/emr.sp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,8 @@ benchmark "all_controls_emr" {
children = [
control.emr_account_public_access_blocked,
control.emr_cluster_kerberos_enabled,
control.emr_cluster_master_nodes_no_public_ip
control.emr_cluster_master_nodes_no_public_ip,
control.emr_cluster_security_configuration_enabled
]

tags = merge(local.all_controls_emr_common_tags, {
Expand Down
1 change: 1 addition & 0 deletions all_controls/kinesis.sp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ benchmark "all_controls_kinesis" {
title = "Kinesis"
description = "This section contains recommendations for configuring Kinesis resources."
children = [
control.kinesis_firehose_delivery_stream_server_side_encryption_enabled,
control.kinesis_stream_encrypted_with_kms_cmk,
control.kinesis_stream_server_side_encryption_enabled
]
Expand Down
5 changes: 5 additions & 0 deletions all_controls/rds.sp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,11 @@ benchmark "all_controls_rds" {
description = "This section contains recommendations for configuring RDS resources."
children = [
control.rds_db_cluster_aurora_backtracking_enabled,
control.rds_db_cluster_aurora_postgres_not_exposed_to_local_file_read_vulnerability,
control.rds_db_cluster_aurora_protected_by_backup_plan,
control.rds_db_cluster_copy_tags_to_snapshot_enabled,
control.rds_db_cluster_deletion_protection_enabled,
control.rds_db_cluster_encrypted_with_cmk,
control.rds_db_cluster_encryption_at_rest_enabled,
control.rds_db_cluster_events_subscription,
control.rds_db_cluster_iam_authentication_enabled,
Expand All @@ -21,6 +23,7 @@ benchmark "all_controls_rds" {
control.rds_db_instance_and_cluster_no_default_port,
control.rds_db_instance_automatic_minor_version_upgrade_enabled,
control.rds_db_instance_backup_enabled,
control.rds_db_instance_backup_retention_period_less_than_7,
control.rds_db_instance_ca_certificate_expires_7_days,
control.rds_db_instance_cloudwatch_logs_enabled,
control.rds_db_instance_connections_encryption_enabled,
Expand All @@ -34,6 +37,8 @@ benchmark "all_controls_rds" {
control.rds_db_instance_logging_enabled,
control.rds_db_instance_multiple_az_enabled,
control.rds_db_instance_no_default_admin_name,
control.rds_db_instance_no_public_subnet,
control.rds_db_instance_postgres_not_exposed_to_local_file_read_vulnerability,
control.rds_db_instance_prohibit_public_access,
control.rds_db_instance_protected_by_backup_plan,
control.rds_db_parameter_group_events_subscription,
Expand Down
1 change: 1 addition & 0 deletions all_controls/redshift.sp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ benchmark "all_controls_redshift" {
control.redshift_cluster_audit_logging_enabled,
control.redshift_cluster_automatic_snapshots_min_7_days,
control.redshift_cluster_automatic_upgrade_major_versions_enabled,
control.redshift_cluster_encrypted_with_cmk,
control.redshift_cluster_encryption_in_transit_enabled,
control.redshift_cluster_encryption_logging_enabled,
control.redshift_cluster_enhanced_vpc_routing_enabled,
Expand Down
1 change: 1 addition & 0 deletions all_controls/s3.sp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ benchmark "all_controls_s3" {
control.s3_bucket_lifecycle_policy_enabled,
control.s3_bucket_logging_enabled,
control.s3_bucket_mfa_delete_enabled,
control.s3_bucket_not_accessible_to_all_authenticated_user,
control.s3_bucket_object_lock_enabled,
control.s3_bucket_object_logging_enabled,
control.s3_bucket_policy_restrict_public_access,
Expand Down
5 changes: 4 additions & 1 deletion all_controls/sns.sp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,10 @@ benchmark "all_controls_sns" {
children = [
control.sns_topic_encrypted_at_rest,
control.sns_topic_notification_delivery_status_enabled,
control.sns_topic_policy_prohibit_public_access
control.sns_topic_policy_prohibit_cross_account_access,
control.sns_topic_policy_prohibit_public_access,
control.sns_topic_policy_prohibit_publishing_access,
control.sns_topic_policy_prohibit_subscription_access
]

tags = merge(local.all_controls_sns_common_tags, {
Expand Down
1 change: 1 addition & 0 deletions all_controls/sqs.sp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ benchmark "all_controls_sqs" {
children = [
control.sqs_queue_dead_letter_queue_configured,
control.sqs_queue_encrypted_at_rest,
control.sqs_queue_encrypted_with_kms_cmk,
control.sqs_queue_policy_prohibit_public_access
]

Expand Down
3 changes: 2 additions & 1 deletion all_controls/ssm.sp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,8 @@ benchmark "all_controls_ssm" {
control.ec2_instance_ssm_managed,
control.ssm_document_prohibit_public_access,
control.ssm_managed_instance_compliance_association_compliant,
control.ssm_managed_instance_compliance_patch_compliant
control.ssm_managed_instance_compliance_patch_compliant,
control.ssm_parameter_encryption_enabled
]

tags = merge(local.all_controls_ssm_common_tags, {
Expand Down
2 changes: 2 additions & 0 deletions all_controls/vpc.sp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ benchmark "all_controls_vpc" {
control.vpc_in_more_than_one_region,
control.vpc_network_acl_remote_administration,
control.vpc_network_acl_unused,
control.vpc_not_in_use,
control.vpc_peering_connection_no_cross_account_access,
control.vpc_peering_connection_route_table_least_privilege,
control.vpc_route_table_restrict_public_access_to_igw,
control.vpc_security_group_allows_ingress_authorized_ports,
Expand Down
79 changes: 79 additions & 0 deletions conformance_pack/acm.sp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,30 @@ control "acm_certificate_no_wildcard_domain_name" {
tags = local.conformance_pack_acm_common_tags
}

control "acm_certificate_not_expired" {
title = "Ensure that all the expired ACM certificates are removed"
description = "This control ensures that all expired ACM certificates are removed from AWS account."
query = query.acm_certificate_not_expired

tags = local.conformance_pack_acm_common_tags
}

control "acm_certificate_no_failed_certificate" {
title = "Ensure that ACM certificates are not in failed state"
description = "This control ensures that ACM certificates are not in failed state."
query = query.acm_certificate_no_failed_certificate

tags = local.conformance_pack_acm_common_tags
}

control "acm_certificate_no_pending_validation_certificate" {
title = "Ensure that ACM certificates are not in pending validation state"
description = "This control ensures that ACM certificates are not in pending validation state. When certificates are not validated within 72 hours after the request is made, those certificates become invalid."
query = query.acm_certificate_no_pending_validation_certificate

tags = local.conformance_pack_acm_common_tags
}

query "acm_certificate_expires_30_days" {
sql = <<-EOQ
select
Expand Down Expand Up @@ -103,3 +127,58 @@ query "acm_certificate_no_wildcard_domain_name" {
aws_acm_certificate;
EOQ
}

query "acm_certificate_not_expired" {
sql = <<-EOQ
select
certificate_arn as resource,
case
when renewal_eligibility = 'INELIGIBLE' then 'skip'
when date(not_after) < (current_date - interval '1' minute) then 'alarm'
else 'ok'
end as status,
case
when renewal_eligibility = 'INELIGIBLE' then title || ' not eligible for renewal.'
when date(not_after) < (current_date - interval '1' minute) then title || ' expired ' || to_char(not_after, 'DD-Mon-YYYY') ||
' (' || extract(day from not_after - current_date) || ' days ago).'
else title || ' expires ' || to_char(not_after, 'DD-Mon-YYYY') ||
' (' || extract(day from not_after - current_date) || ' days).'
end as reason
${local.tag_dimensions_sql}
${local.common_dimensions_sql}
from
aws_acm_certificate;
EOQ
}

query "acm_certificate_no_failed_certificate" {
sql = <<-EOQ
select
certificate_arn as resource,
case
when status in ('VALIDATION_TIMED_OUT', 'FAILED') then 'alarm'
else 'ok'
end as status,
title || ' status is ' || status || '.' as reason
${local.tag_dimensions_sql}
${local.common_dimensions_sql}
from
aws_acm_certificate;
EOQ
}

query "acm_certificate_no_pending_validation_certificate" {
sql = <<-EOQ
select
certificate_arn as resource,
case
when status = 'PENDING_VALIDATION' then 'info'
else 'ok'
end as status,
title || ' status is ' || status || '.' as reason
${local.tag_dimensions_sql}
${local.common_dimensions_sql}
from
aws_acm_certificate;
EOQ
}
29 changes: 29 additions & 0 deletions conformance_pack/cloudfront.sp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,6 +158,14 @@ control "cloudfront_distribution_field_level_encryption_enabled" {
tags = local.conformance_pack_cloudfront_common_tags
}

control "cloudfront_distribution_latest_tls_version" {
title = "CloudFront distributions should have latest TLS version"
description = "This control checks whether CloudFront distribution uses latest TLS version."
query = query.cloudfront_distribution_latest_tls_version

tags = local.conformance_pack_cloudfront_common_tags
}

query "cloudfront_distribution_encryption_in_transit_enabled" {
sql = <<-EOQ
with data as (
Expand Down Expand Up @@ -563,3 +571,24 @@ query "cloudfront_distribution_no_non_existent_s3_origin" {
left join distribution_with_non_existent_bucket as b on b.arn = d.arn;
EOQ
}

query "cloudfront_distribution_latest_tls_version" {
sql = <<-EOQ
select
arn as resource,
case
when viewer_certificate ->> 'CertificateSource' = 'cloudfront'
and viewer_certificate ->> 'MinimumProtocolVersion' = 'TLSv1.2_2021' then 'ok'
else 'alarm'
end as status,
case
when viewer_certificate ->> 'CertificateSource' = 'cloudfront'
and viewer_certificate ->> 'MinimumProtocolVersion' = 'TLSv1.2_2021' then title || ' uses latest TLS version.'
else title || ' not uses latest TLS version.'
end as reason
${local.tag_dimensions_sql}
${local.common_dimensions_sql}
from
aws_cloudfront_distribution;
EOQ
}
Loading