From 4cb9b5075a4a070d55bb3d775f81b6a31971444c Mon Sep 17 00:00:00 2001 From: khushboo9024 Date: Wed, 29 Nov 2023 19:05:53 +0530 Subject: [PATCH 01/25] add new queries --- conformance_pack/acm.sp | 39 ++++++++++++++++++++++++++++ conformance_pack/cloudfront.sp | 21 ++++++++++++++++ conformance_pack/docdb.sp | 46 ++++++++++++++++++++++++++++++++++ conformance_pack/sqs.sp | 21 ++++++++++++++++ conformance_pack/ssm.sp | 20 +++++++++++++++ conformance_pack/vpc.sp | 28 +++++++++++++++++++++ 6 files changed, 175 insertions(+) diff --git a/conformance_pack/acm.sp b/conformance_pack/acm.sp index 4e13716a..af9cee13 100644 --- a/conformance_pack/acm.sp +++ b/conformance_pack/acm.sp @@ -103,3 +103,42 @@ query "acm_certificate_no_wildcard_domain_name" { aws_acm_certificate; EOQ } + +query "acm_certificate_expired" { + sql = <<-EOQ + select + certificate_arn as resource, + case + when renewal_eligibility = 'INELIGIBLE' then 'skip' + when date(not_after) < (current_date - interval '1' minute) then 'alarm' + else 'ok' + end as status, + case + when renewal_eligibility = 'INELIGIBLE' then title || ' not eligible for renewal.' + when date(not_after) < (current_date - interval '1' minute) then title || ' expired ' || to_char(not_after, 'DD-Mon-YYYY') || + ' (' || extract(day from not_after - current_date) || ' days ago).' + else title || ' expires ' || to_char(not_after, 'DD-Mon-YYYY') || + ' (' || extract(day from not_after - current_date) || ' days).' + end as reason + ${local.tag_dimensions_sql} + ${local.common_dimensions_sql} + from + aws_acm_certificate; + EOQ +} + +query "acm_certificate_no_failed_certificate" { + sql = <<-EOQ + select + certificate_arn as resource, + case + when status in ('VALIDATION_TIMED_OUT', 'FAILED') then 'alarm' + else 'ok' + end as status, + title || ' status is ' || status || '.' as reason + --${local.tag_dimensions_sql} + --${local.common_dimensions_sql} + from + aws_acm_certificate; + EOQ +} \ No newline at end of file diff --git a/conformance_pack/cloudfront.sp b/conformance_pack/cloudfront.sp index e0ee9123..ce0f4440 100644 --- a/conformance_pack/cloudfront.sp +++ b/conformance_pack/cloudfront.sp @@ -563,3 +563,24 @@ query "cloudfront_distribution_no_non_existent_s3_origin" { left join distribution_with_non_existent_bucket as b on b.arn = d.arn; EOQ } + +query "cloudfront_distribution_protocol_version_latest" { + sql = <<-EOQ + select + arn as resource, + case + when viewer_certificate ->> 'CertificateSource' = 'cloudfront' + and viewer_certificate ->> 'MinimumProtocolVersion' = 'TLSv1.2_2021' then 'ok' + else 'alarm' + end as status, + case + when viewer_certificate ->> 'CertificateSource' = 'cloudfront' + and viewer_certificate ->> 'MinimumProtocolVersion' = 'TLSv1.2_2021' then title || ' uses latest protocol version.' + else title || ' not uses latest protocol version.' + end as reason + ${local.tag_dimensions_sql} + ${local.common_dimensions_sql} + from + aws_cloudfront_distribution; + EOQ +} \ No newline at end of file diff --git a/conformance_pack/docdb.sp b/conformance_pack/docdb.sp index 50bc3c55..1898ab77 100644 --- a/conformance_pack/docdb.sp +++ b/conformance_pack/docdb.sp @@ -28,6 +28,14 @@ control "docdb_cluster_instance_logging_enabled" { tags = local.conformance_pack_docdb_common_tags } +control "docdb_cluster_deletion_protection_enabled" { + title = "DocumentDB clusters should have deletion protection enabled" + description = "Ensure DocumentDB) clusters have deletion protection enabled." + query = query.docdb_cluster_deletion_protection_enabled + + tags = local.conformance_pack_docdb_common_tags +} + query "docdb_cluster_instance_logging_enabled" { sql = <<-EOQ select @@ -83,3 +91,41 @@ query "docdb_cluster_backup_retention_period_7_days" { aws_docdb_cluster; EOQ } + +query "docdb_cluster_deletion_protection_enabled" { + sql = <<-EOQ + select + arn as resource, + case + when deletion_protection then 'ok' + else 'alarm' + end status, + case + when deletion_protection then title || ' deletion protection enabled.' + else title || ' deletion protection not enabled.' + end reason + ${local.tag_dimensions_sql} + ${local.common_dimensions_sql} + from + aws_docdb_cluster; + EOQ +} + +query "docdb_cluster_deletion_protection_enabled" { + sql = <<-EOQ + select + arn as resource, + case + when deletion_protection then 'ok' + else 'alarm' + end status, + case + when deletion_protection then title || ' deletion protection enabled.' + else title || ' deletion protection not enabled.' + end reason + ${local.tag_dimensions_sql} + ${local.common_dimensions_sql} + from + aws_docdb_cluster; + EOQ +} diff --git a/conformance_pack/sqs.sp b/conformance_pack/sqs.sp index 5dc5039f..00f9c024 100644 --- a/conformance_pack/sqs.sp +++ b/conformance_pack/sqs.sp @@ -103,3 +103,24 @@ query "sqs_queue_encrypted_at_rest" { aws_sqs_queue; EOQ } + +query "sqs_queue_encrypted_with_kms_cmk" { + sql = <<-EOQ + select + queue_arn as resource, + case + when kms_master_key_id is null then 'alarm' + when kms_master_key_id is not null and kms_master_key_id = 'alias/aws/sqs' then 'alarm' + else 'ok' + end as status, + case + when kms_master_key_id is null then title || ' encryption at rest disabled.' + when kms_master_key_id is not null and kms_master_key_id = 'alias/aws/sqs' then title || ' not encrypted with CMK.' + else title || ' encrypted with CMK.' + end as reason + ${local.tag_dimensions_sql} + ${local.common_dimensions_sql} + from + aws_sqs_queue; + EOQ +} diff --git a/conformance_pack/ssm.sp b/conformance_pack/ssm.sp index 8ab25159..fc2e7603 100644 --- a/conformance_pack/ssm.sp +++ b/conformance_pack/ssm.sp @@ -177,3 +177,23 @@ query "ssm_document_prohibit_public_access" { owner_type = 'Self'; EOQ } + +query "ssm_parameter_encryption_enabled" { + sql = <<-EOQ + select + arn as resource, + case + when type = 'SecureString' then 'ok' + else 'alarm' + end as status, + case + when type = 'SecureString' then title || ' encryption enabled.' + else title || ' encryption disabled.' + end as reason + ${local.tag_dimensions_sql} + ${local.common_dimensions_sql} + from + aws_ssm_parameter; + EOQ +} + diff --git a/conformance_pack/vpc.sp b/conformance_pack/vpc.sp index b65b8e8e..72bb2cce 100644 --- a/conformance_pack/vpc.sp +++ b/conformance_pack/vpc.sp @@ -1783,4 +1783,32 @@ query "vpc_peering_connection_route_table_least_privilege" { aws_vpc_peering_connection as c left join vpc_peering_routing_tables as t on t.peering_connection_id = c.id; EOQ +} + +query "vpc_not_in_use" { + sql = <<-EOQ + with vpc_without_subnet as ( + select + distinct vpc_id + from + aws_vpc + where + vpc_id not in (select vpc_id from aws_vpc_subnet) + ) + select + arn as resource, + case + when s.vpc_id is null then 'ok' + else 'alarm' + end as status, + case + when s.vpc_id is null then title || ' in use.' + else title || ' not in use.' + end as reason + ${local.tag_dimensions_sql} + ${local.common_dimensions_sql} + from + aws_vpc as v + left join vpc_without_subnet as s on s.vpc_id = v.vpc_id + EOQ } \ No newline at end of file From 56eb58276ec52a5ccfecc5b979892f281930519e Mon Sep 17 00:00:00 2001 From: khushboo9024 Date: Wed, 29 Nov 2023 20:55:47 +0530 Subject: [PATCH 02/25] add sns queries --- conformance_pack/sns.sp | 80 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) diff --git a/conformance_pack/sns.sp b/conformance_pack/sns.sp index 43945f5c..8f74e3c4 100644 --- a/conformance_pack/sns.sp +++ b/conformance_pack/sns.sp @@ -128,3 +128,83 @@ query "sns_topic_notification_delivery_status_enabled" { aws_sns_topic; EOQ } + +query "sns_topic_policy_prohibit_publishing_access" { + sql = <<-EOQ + with wildcard_action_policies as ( + select + topic_arn, + count(*) as statements_num + from + aws_sns_topic, + jsonb_array_elements(policy_std -> 'Statement') as s, + jsonb_array_elements_text(s -> 'Action') as a + where + s ->> 'Effect' = 'Allow' + and ( + ( s -> 'Principal' -> 'AWS') = '["*"]' + or s ->> 'Principal' = '*' + ) + and a = 'sns:publish' + and s -> 'Condition' is null + group by + topic_arn + ) + select + t.topic_arn as resource, + case + when p.topic_arn is null then 'ok' + else 'alarm' + end as status, + case + when p.topic_arn is null then title || ' does not allow publish access without condition.' + else title || ' contains ' || coalesce(p.statements_num,0) || + ' statements that allows publish access without condition.' + end as reason + ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "t.")} + ${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "t.")} + from + aws_sns_topic as t + left join wildcard_action_policies as p on p.topic_arn = t.topic_arn; + EOQ +} + +query "sns_topic_policy_prohibit_subscription_access" { + sql = <<-EOQ + with wildcard_action_policies as ( + select + topic_arn, + count(*) as statements_num + from + aws_sns_topic, + jsonb_array_elements(policy_std -> 'Statement') as s, + jsonb_array_elements_text(s -> 'Action') as a + where + s ->> 'Effect' = 'Allow' + and ( + ( s -> 'Principal' -> 'AWS') = '["*"]' + or s ->> 'Principal' = '*' + ) + and a in ('sns:subscribe', 'sns:receive') + and s -> 'Condition' is null + group by + topic_arn + ) + select + t.topic_arn as resource, + case + when p.topic_arn is null then 'ok' + else 'alarm' + end as status, + case + when p.topic_arn is null then title || ' does not allow subscribe access without condition.' + else title || ' contains ' || coalesce(p.statements_num,0) || + ' statements that allows subscribe access without condition.' + end as reason + ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "t.")} + ${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "t.")} + from + aws_sns_topic as t + left join wildcard_action_policies as p on p.topic_arn = t.topic_arn; + EOQ +} \ No newline at end of file From 756534e27af82166a5f74eb43bc4d9becdbe9e77 Mon Sep 17 00:00:00 2001 From: khushboo9024 Date: Wed, 29 Nov 2023 22:02:36 +0530 Subject: [PATCH 03/25] update --- conformance_pack/sns.sp | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/conformance_pack/sns.sp b/conformance_pack/sns.sp index 8f74e3c4..7c40965c 100644 --- a/conformance_pack/sns.sp +++ b/conformance_pack/sns.sp @@ -207,4 +207,43 @@ query "sns_topic_policy_prohibit_subscription_access" { aws_sns_topic as t left join wildcard_action_policies as p on p.topic_arn = t.topic_arn; EOQ +} + +query "sns_topic_policy_prohibit_cross_account_access" { + sql = <<-EOQ + with cross_account_policies as ( + select + topic_arn, + count(*) as statements_num + from + aws_sns_topic, + jsonb_array_elements(policy_std -> 'Statement') as s, + jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p + where + s ->> 'Effect' = 'Allow' + and ( + ( s -> 'Principal' -> 'AWS') = '["*"]' + or s ->> 'Principal' = '*' + or split_part(p, ':', 5) <> account_id + ) + group by + topic_arn + ) + select + t.topic_arn as resource, + case + when p.topic_arn is null then 'ok' + else 'alarm' + end as status, + case + when p.topic_arn is null then title || ' does not allow cross account access.' + else title || ' contains ' || coalesce(p.statements_num,0) || + ' statements that allows cross account access.' + end as reason + ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "t.")} + ${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "t.")} + from + aws_sns_topic as t + left join cross_account_policies as p on p.topic_arn = t.topic_arn; + EOQ } \ No newline at end of file From 9d2029c86b1cbfd36fa4d6906e84187f3db1fa77 Mon Sep 17 00:00:00 2001 From: khushboo9024 Date: Thu, 30 Nov 2023 13:54:00 +0530 Subject: [PATCH 04/25] update --- conformance_pack/cloudtrail.sp | 53 ++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/conformance_pack/cloudtrail.sp b/conformance_pack/cloudtrail.sp index d472ccec..ba499117 100644 --- a/conformance_pack/cloudtrail.sp +++ b/conformance_pack/cloudtrail.sp @@ -745,3 +745,56 @@ query "cloudtrail_s3_object_write_events_audit_enabled" { b.account_id, b.region, b.arn, b.name, b.tags, b._ctx; EOQ } + +query "cloudtrail_trail_enabled_account" { + sql = <<-EOQ + with trails_enabled_account as ( + select + account_id, + count(*) as num + from + aws_cloudtrail_trail + where + home_region = region + and is_logging + group by + account_id + ) + select + a.arn as resource, + case + when b.num > 0 then 'ok' + else 'alarm' + end as status, + case + when b.num > 0 then a.title || ' has ' || b.num || ' trails enabled.' + else a.title || ' has no trail enabled.' + end as reason + ${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "a.")} + from + aws_account as a + left join trails_enabled_account b on a.account_id = b.account_id; + EOQ +} + +query "cloudtrail_multi_region_trail_integrated_with_logs" { + sql = <<-EOQ + select + arn as resource, + case + when log_group_arn != 'null' and ((latest_delivery_time) > current_date - 1) then 'ok' + else 'alarm' + end as status, + case + when log_group_arn != 'null' and ((latest_delivery_time) > current_date - 1) then title || ' multi region trail integrated with CloudWatch logs.' + else title || ' multi region trsail not integrated with CloudWatch logs.' + end as reason + ${local.tag_dimensions_sql} + ${local.common_dimensions_sql} + from + aws_cloudtrail_trail + where + region = home_region + and is_multi_region_trail; + EOQ +} \ No newline at end of file From a1cf33b318dbef083c4e8412c74ccf9c692ee999 Mon Sep 17 00:00:00 2001 From: khushboo9024 Date: Thu, 30 Nov 2023 19:48:03 +0530 Subject: [PATCH 05/25] update --- conformance_pack/config.sp | 20 ++++++++++++++++ conformance_pack/ecs.sp | 48 ++++++++++++++++++++++++++++++++++++++ conformance_pack/eks.sp | 16 +++++++++++++ 3 files changed, 84 insertions(+) diff --git a/conformance_pack/config.sp b/conformance_pack/config.sp index cdc93f89..0859a3be 100644 --- a/conformance_pack/config.sp +++ b/conformance_pack/config.sp @@ -79,3 +79,23 @@ query "config_enabled_all_regions" { left join aws_config_configuration_recorder as r on r.account_id = a.account_id and r.region = a.name; EOQ } + +query "config_no_failed_deliver_logs" { + sql = <<-EOQ + select + arn as resource, + case + when status ->> 'LastStatus' = 'FAILURE' then 'alarm' + else 'ok' + end as status, + case + when status ->> 'LastStatus' = 'FAILURE' then title || ' has failed deliver logs.' + else title || ' does not have failed deliver logs.' + end as reason + ${local.tag_dimensions_sql} + ${local.common_dimensions_sql} + from + aws_config_configuration_recorder; + EOQ +} + diff --git a/conformance_pack/ecs.sp b/conformance_pack/ecs.sp index ae72f545..806f15f3 100644 --- a/conformance_pack/ecs.sp +++ b/conformance_pack/ecs.sp @@ -515,3 +515,51 @@ query "ecs_service_not_publicly_accessible" { left join service_awsvpc_mode_task_definition as b on a.service_name = b.service_name; EOQ } + +query "ecs_task_definition_no_root_user" { + sql = <<-EOQ + with root_user_task_definition as ( + select + distinct task_definition_arn as arn + from + aws_ecs_task_definition, + jsonb_array_elements(container_definitions) as c + where + c ->> 'User' = 'root' + ) + select + a.task_definition_arn as resource, + case + when b.arn is not null then 'alarm' + else 'ok' + end as status, + case + when b.arn is not null then a.title || ' have root user.' + else a.title || ' does not have root user.' + end as reason + ${local.tag_dimensions_sql} + ${local.common_dimensions_sql} + from + aws_ecs_task_definition as a + left join root_user_task_definition as b on a.task_definition_arn = b.arn; + EOQ +} + +query "ecs_cluster_no_active_services_count" { + sql = <<-EOQ + select + cluster_arn as resource, + case + when active_services_count > 0 then 'ok' + else 'alarm' + end as status, + case + when active_services_count > 0 then title || ' has ' || active_services_count || ' active service(s).' + else title || ' has no active service.' + end as reason + ${local.tag_dimensions_sql} + ${local.common_dimensions_sql} + from + aws_ecs_cluster; + EOQ +} \ No newline at end of file diff --git a/conformance_pack/eks.sp b/conformance_pack/eks.sp index 7d637e44..74a0fb0c 100644 --- a/conformance_pack/eks.sp +++ b/conformance_pack/eks.sp @@ -219,3 +219,19 @@ query "eks_cluster_endpoint_public_access_restricted" { aws_eks_cluster; EOQ } + +query "eks_cluster_no_multiple_security_groups" { + sql = <<-EOQ + select + arn as resource, + case + when jsonb_array_length(resources_vpc_config -> 'SecurityGroupIds') > 1 then 'alarm' + else 'ok' + end as status, + title || ' has '|| jsonb_array_length(resources_vpc_config -> 'SecurityGroupIds') || ' security group(s).' as reason + ${local.tag_dimensions_sql} + ${local.common_dimensions_sql} + from + aws_eks_cluster; + EOQ +} \ No newline at end of file From 47f8273468086493b3bef055c121740b6f17691d Mon Sep 17 00:00:00 2001 From: khushboo9024 Date: Thu, 30 Nov 2023 23:16:03 +0530 Subject: [PATCH 06/25] update --- conformance_pack/elasticache.sp | 23 +++++++++++++ conformance_pack/elb.sp | 59 +++++++++++++++++++++++++++++++++ conformance_pack/emr.sp | 19 ++++++++++- 3 files changed, 100 insertions(+), 1 deletion(-) diff --git a/conformance_pack/elasticache.sp b/conformance_pack/elasticache.sp index ea0539b4..99302f92 100644 --- a/conformance_pack/elasticache.sp +++ b/conformance_pack/elasticache.sp @@ -215,3 +215,26 @@ query "elasticache_cluster_auto_minor_version_upgrade_enabled" { aws_elasticache_cluster; EOQ } + +query "elasticache_replication_group_encryption_at_rest_enabled_with_kms_cmk" { + sql = <<-EOQ + select + r.arn as resource, + case + when not at_rest_encryption_enabled then 'alarm' + when at_rest_encryption_enabled and kms_key_id is null then 'alarm' + when at_rest_encryption_enabled and kms_key_id is not null and k.enabled then 'ok' + else 'alarm' + end as status, + case + when not at_rest_encryption_enabled then r.title || ' encryption at rest disabled.' + when at_rest_encryption_enabled and kms_key_id is null then r.title || ' encryption at rest not enabled with CMK.' + when at_rest_encryption_enabled and kms_key_id is not null and k.enabled then r.title || ' encryption at rest enabled with CMK.' + else r.title || ' encryption at rest enabled with disabled CMK.' + end as reason + ${local.common_dimensions_sql} + from + aws_elasticache_replication_group as r + left join aws_kms_key as k on k.arn = r.kms_key_id; + EOQ +} \ No newline at end of file diff --git a/conformance_pack/elb.sp b/conformance_pack/elb.sp index 2d6c874e..20167e05 100644 --- a/conformance_pack/elb.sp +++ b/conformance_pack/elb.sp @@ -996,3 +996,62 @@ query "ec2_classic_lb_connection_draining_enabled" { aws_ec2_classic_load_balancer; EOQ } + +query "elb_classic_lb_no_registered_instance" { + sql = <<-EOQ + select + arn as resource, + case + when jsonb_array_length(instances) = 0 then 'alarm' + else 'ok' + end as status, + title || ' has ' || jsonb_array_length(instances) || ' instances registered.' as reason + ${local.tag_dimensions_sql} + ${local.common_dimensions_sql} + from + aws_ec2_classic_load_balancer; + EOQ +} + +query "elb_classic_lb_with_inbound_rule" { + sql = <<-EOQ + with sg_with_inbound as ( + select + arn, + sg + from + aws_ec2_classic_load_balancer, + jsonb_array_elements_text(security_groups) as sg + left join aws_vpc_security_group_rule as sgr on sg = sgr.group_id + where + sgr.type = 'ingress' + group by + sg, arn + ), classic_lb_without_inbound as ( + select + distinct arn + from + aws_ec2_classic_load_balancer, + jsonb_array_elements_text(security_groups) as s + where + s not in ( select sg from sg_with_inbound) + ) + select + distinct c.arn as resource, + case + when c.security_groups is null then 'alarm' + when i.arn is not null then 'alarm' + else 'ok' + end as status, + case + when c.security_groups is null then c.title || ' does not have security group attached.' + when i.arn is not null then c.title || ' all attached security groups do not have inbound rule(s).' + else c.title || ' all attached security groups have inbound rule(s).' + end as reason + ${local.tag_dimensions_sql} + ${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "c.")} + from + aws_ec2_classic_load_balancer as c + left join classic_lb_without_inbound as i on c.arn = i.arn; + EOQ +} diff --git a/conformance_pack/emr.sp b/conformance_pack/emr.sp index a13fed58..4b1fef1a 100644 --- a/conformance_pack/emr.sp +++ b/conformance_pack/emr.sp @@ -113,4 +113,21 @@ query "emr_cluster_master_nodes_no_public_ip" { EOQ } - +query "emr_cluster_security_configuration_enabled" { + sql = <<-EOQ + select + cluster_arn as resource, + case + when security_configuration is not null then 'ok' + else 'alarm' + end as status, + case + when security_configuration is not null then title || ' security configuration enabled.' + else title || ' security configuration disabled.' + end as reason + ${local.tag_dimensions_sql} + ${local.common_dimensions_sql} + from + aws_emr_cluster; + EOQ +} \ No newline at end of file From aba25463fc9afff4208e965b0dce714a33390a8b Mon Sep 17 00:00:00 2001 From: khushboo9024 Date: Sat, 2 Dec 2023 22:07:42 +0530 Subject: [PATCH 07/25] update --- all_controls/acm.sp | 4 +++- all_controls/cloudfront.sp | 3 ++- all_controls/cloudtrail.sp | 4 +++- all_controls/config.sp | 3 ++- all_controls/docdb.sp | 3 ++- all_controls/ecs.sp | 4 +++- all_controls/eks.sp | 3 ++- all_controls/sqs.sp | 3 ++- all_controls/ssm.sp | 3 ++- all_controls/vpc.sp | 3 ++- conformance_pack/acm.sp | 22 ++++++++++++++++++--- conformance_pack/cloudfront.sp | 8 ++++++++ conformance_pack/cloudtrail.sp | 16 ++++++++++++++++ conformance_pack/config.sp | 8 ++++++++ conformance_pack/docdb.sp | 21 +------------------- conformance_pack/ecs.sp | 16 ++++++++++++++++ conformance_pack/eks.sp | 10 +++++++++- conformance_pack/redshift.sp | 32 +++++++++++++++++++++++++++++++ conformance_pack/sqs.sp | 8 ++++++++ conformance_pack/ssm.sp | 8 ++++++++ conformance_pack/vpc.sp | 35 ++++++++++++++++++++++++++++++++++ 21 files changed, 183 insertions(+), 34 deletions(-) diff --git a/all_controls/acm.sp b/all_controls/acm.sp index 463d5396..7862f211 100644 --- a/all_controls/acm.sp +++ b/all_controls/acm.sp @@ -10,7 +10,9 @@ benchmark "all_controls_acm" { children = [ control.acm_certificate_expires_30_days, control.acm_certificate_no_wildcard_domain_name, - control.acm_certificate_transparency_logging_enabled + control.acm_certificate_transparency_logging_enabled, + control.acm_certificate_not_expired, + control.acm_certificate_no_failed_certificate ] tags = merge(local.all_controls_acm_common_tags, { diff --git a/all_controls/cloudfront.sp b/all_controls/cloudfront.sp index b2d8357f..fce81b6b 100644 --- a/all_controls/cloudfront.sp +++ b/all_controls/cloudfront.sp @@ -22,7 +22,8 @@ benchmark "all_controls_cloudfront" { control.cloudfront_distribution_sni_enabled, control.cloudfront_distribution_use_custom_ssl_certificate, control.cloudfront_distribution_use_secure_cipher, - control.cloudfront_distribution_waf_enabled + control.cloudfront_distribution_waf_enabled, + control.cloudfront_distribution_protocol_version_latest, ] tags = merge(local.all_controls_cloudfront_common_tags, { diff --git a/all_controls/cloudtrail.sp b/all_controls/cloudtrail.sp index 97505a25..f405b897 100644 --- a/all_controls/cloudtrail.sp +++ b/all_controls/cloudtrail.sp @@ -21,7 +21,9 @@ benchmark "all_controls_cloudtrail" { control.cloudtrail_trail_insight_selectors_and_logging_enabled, control.cloudtrail_trail_integrated_with_logs, control.cloudtrail_trail_logs_encrypted_with_kms_cmk, - control.cloudtrail_trail_validation_enabled + control.cloudtrail_trail_validation_enabled, + control.cloudtrail_trail_enabled_account, + control.cloudtrail_multi_region_trail_integrated_with_logs, ] tags = merge(local.all_controls_cloudtrail_common_tags, { diff --git a/all_controls/config.sp b/all_controls/config.sp index 373d4825..0394ac1e 100644 --- a/all_controls/config.sp +++ b/all_controls/config.sp @@ -8,7 +8,8 @@ benchmark "all_controls_config" { title = "Config" description = "This section contains recommendations for configuring Config resources." children = [ - control.config_enabled_all_regions + control.config_enabled_all_regions, + control.config_no_failed_deliver_logs ] tags = merge(local.all_controls_config_common_tags, { diff --git a/all_controls/docdb.sp b/all_controls/docdb.sp index df3df3d6..f88113c6 100644 --- a/all_controls/docdb.sp +++ b/all_controls/docdb.sp @@ -10,7 +10,8 @@ benchmark "all_controls_docdb" { children = [ control.docdb_cluster_backup_retention_period_7_days, control.docdb_cluster_encryption_at_rest_enabled, - control.docdb_cluster_instance_logging_enabled + control.docdb_cluster_instance_logging_enabled, + control.docdb_cluster_deletion_protection_enabled, ] tags = merge(local.all_controls_docdb_common_tags, { diff --git a/all_controls/ecs.sp b/all_controls/ecs.sp index 7ce2d949..4848f184 100644 --- a/all_controls/ecs.sp +++ b/all_controls/ecs.sp @@ -21,7 +21,9 @@ benchmark "all_controls_ecs" { control.ecs_task_definition_container_readonly_root_filesystem, control.ecs_task_definition_logging_enabled, control.ecs_task_definition_no_host_pid_mode, - control.ecs_task_definition_user_for_host_mode_check + control.ecs_task_definition_user_for_host_mode_check, + control.ecs_task_definition_no_root_user, + control.ecs_cluster_no_active_services_count, ] tags = merge(local.all_controls_ecs_common_tags, { diff --git a/all_controls/eks.sp b/all_controls/eks.sp index 212d230a..cffc4ba2 100644 --- a/all_controls/eks.sp +++ b/all_controls/eks.sp @@ -13,7 +13,8 @@ benchmark "all_controls_eks" { control.eks_cluster_endpoint_restrict_public_access, control.eks_cluster_no_default_vpc, control.eks_cluster_secrets_encrypted, - control.eks_cluster_with_latest_kubernetes_version + control.eks_cluster_with_latest_kubernetes_version, + control.eks_cluster_no_multiple_security_groups, ] tags = merge(local.all_controls_eks_common_tags, { diff --git a/all_controls/sqs.sp b/all_controls/sqs.sp index 88248d5b..83508782 100644 --- a/all_controls/sqs.sp +++ b/all_controls/sqs.sp @@ -10,7 +10,8 @@ benchmark "all_controls_sqs" { children = [ control.sqs_queue_dead_letter_queue_configured, control.sqs_queue_encrypted_at_rest, - control.sqs_queue_policy_prohibit_public_access + control.sqs_queue_policy_prohibit_public_access, + control.sqs_queue_encrypted_with_kms_cmk, ] tags = merge(local.all_controls_sqs_common_tags, { diff --git a/all_controls/ssm.sp b/all_controls/ssm.sp index 34c08210..3f63279e 100644 --- a/all_controls/ssm.sp +++ b/all_controls/ssm.sp @@ -11,7 +11,8 @@ benchmark "all_controls_ssm" { control.ec2_instance_ssm_managed, control.ssm_document_prohibit_public_access, control.ssm_managed_instance_compliance_association_compliant, - control.ssm_managed_instance_compliance_patch_compliant + control.ssm_managed_instance_compliance_patch_compliant, + control.ssm_parameter_encryption_enabled, ] tags = merge(local.all_controls_ssm_common_tags, { diff --git a/all_controls/vpc.sp b/all_controls/vpc.sp index 3a46d72c..add8bf7c 100644 --- a/all_controls/vpc.sp +++ b/all_controls/vpc.sp @@ -41,7 +41,8 @@ benchmark "all_controls_vpc" { control.vpc_subnet_auto_assign_public_ip_disabled, control.vpc_subnet_multi_az_enabled, control.vpc_subnet_public_and_private, - control.vpc_vpn_tunnel_up + control.vpc_vpn_tunnel_up, + control.vpc_not_in_use, ] tags = merge(local.all_controls_vpc_common_tags, { diff --git a/conformance_pack/acm.sp b/conformance_pack/acm.sp index af9cee13..f94740bc 100644 --- a/conformance_pack/acm.sp +++ b/conformance_pack/acm.sp @@ -43,6 +43,22 @@ control "acm_certificate_no_wildcard_domain_name" { tags = local.conformance_pack_acm_common_tags } +control "acm_certificate_not_expired" { + title = "Ensure that all the expired ACM certificates are removed" + description = "This control ensures that all expired ACM certificates are removed from AWS account." + query = query.acm_certificate_not_expired + + tags = local.conformance_pack_acm_common_tags +} + +control "acm_certificate_no_failed_certificate" { + title = "Ensure that ACM certificates are not in failed state" + description = "This control ensures that ACM certificates are not in failed state." + query = query.acm_certificate_no_failed_certificate + + tags = local.conformance_pack_acm_common_tags +} + query "acm_certificate_expires_30_days" { sql = <<-EOQ select @@ -104,7 +120,7 @@ query "acm_certificate_no_wildcard_domain_name" { EOQ } -query "acm_certificate_expired" { +query "acm_certificate_not_expired" { sql = <<-EOQ select certificate_arn as resource, @@ -136,8 +152,8 @@ query "acm_certificate_no_failed_certificate" { else 'ok' end as status, title || ' status is ' || status || '.' as reason - --${local.tag_dimensions_sql} - --${local.common_dimensions_sql} + ${local.tag_dimensions_sql} + ${local.common_dimensions_sql} from aws_acm_certificate; EOQ diff --git a/conformance_pack/cloudfront.sp b/conformance_pack/cloudfront.sp index ce0f4440..f481f8cc 100644 --- a/conformance_pack/cloudfront.sp +++ b/conformance_pack/cloudfront.sp @@ -158,6 +158,14 @@ control "cloudfront_distribution_field_level_encryption_enabled" { tags = local.conformance_pack_cloudfront_common_tags } +control "cloudfront_distribution_protocol_version_latest" { + title = "CloudFront distributions should have latest TLS protocol version" + description = "This control checks whether an AWS CloudFront distribution uses latest protocol version." + query = query.cloudfront_distribution_protocol_version_latest + + tags = local.conformance_pack_cloudfront_common_tags +} + query "cloudfront_distribution_encryption_in_transit_enabled" { sql = <<-EOQ with data as ( diff --git a/conformance_pack/cloudtrail.sp b/conformance_pack/cloudtrail.sp index ba499117..cd21d77f 100644 --- a/conformance_pack/cloudtrail.sp +++ b/conformance_pack/cloudtrail.sp @@ -237,6 +237,22 @@ control "cloudtrail_trail_bucket_mfa_enabled" { tags = local.conformance_pack_cloudtrail_common_tags } +control "cloudtrail_trail_enabled_account" { + title = "At least one CloudTrail trail should be enabled in the AWS account" + description = "Ensure that at least one CloudTrail trail is be enabled in the AWS account." + query = query.cloudtrail_trail_enabled_account + + tags = local.conformance_pack_cloudtrail_common_tags +} + +control "cloudtrail_multi_region_trail_integrated_with_logs" { + title = "CloudTrail multi region trails should be integrated with CloudWatch logs" + description = "Ensure that CloudTrail multi region trails are itegrated with CloudWatch logs." + query = query.cloudtrail_multi_region_trail_integrated_with_logs + + tags = local.conformance_pack_cloudtrail_common_tags +} + query "cloudtrail_trail_integrated_with_logs" { sql = <<-EOQ select diff --git a/conformance_pack/config.sp b/conformance_pack/config.sp index 0859a3be..9aa63ed3 100644 --- a/conformance_pack/config.sp +++ b/conformance_pack/config.sp @@ -21,6 +21,14 @@ control "config_enabled_all_regions" { }) } +control "config_no_failed_deliver_logs" { + title = "Config should not fail to deliver logs" + description = "This control checks whether AWS Config fails to deliver logs. This control is non-compliant if AWS Config fails to deliver logs." + query = query.config_no_failed_deliver_logs + + tags = local.conformance_pack_config_common_tags +} + query "config_enabled_all_regions" { sql = <<-EOQ -- pgFormatter-ignore diff --git a/conformance_pack/docdb.sp b/conformance_pack/docdb.sp index 1898ab77..6a879e2a 100644 --- a/conformance_pack/docdb.sp +++ b/conformance_pack/docdb.sp @@ -30,7 +30,7 @@ control "docdb_cluster_instance_logging_enabled" { control "docdb_cluster_deletion_protection_enabled" { title = "DocumentDB clusters should have deletion protection enabled" - description = "Ensure DocumentDB) clusters have deletion protection enabled." + description = "Ensure DocumentDB clusters have deletion protection enabled." query = query.docdb_cluster_deletion_protection_enabled tags = local.conformance_pack_docdb_common_tags @@ -110,22 +110,3 @@ query "docdb_cluster_deletion_protection_enabled" { aws_docdb_cluster; EOQ } - -query "docdb_cluster_deletion_protection_enabled" { - sql = <<-EOQ - select - arn as resource, - case - when deletion_protection then 'ok' - else 'alarm' - end status, - case - when deletion_protection then title || ' deletion protection enabled.' - else title || ' deletion protection not enabled.' - end reason - ${local.tag_dimensions_sql} - ${local.common_dimensions_sql} - from - aws_docdb_cluster; - EOQ -} diff --git a/conformance_pack/ecs.sp b/conformance_pack/ecs.sp index 806f15f3..b281b7fe 100644 --- a/conformance_pack/ecs.sp +++ b/conformance_pack/ecs.sp @@ -139,6 +139,22 @@ control "ecs_service_fargate_using_latest_platform_version" { }) } +control "ecs_task_definition_no_root_user" { + title = "ECS task definitions should not use root user." + description = "This control checks if ECS task definitions have root user. This control fails if the ECS task definitions .have root user" + query = query.ecs_task_definition_no_root_user + + tags = local.conformance_pack_ecs_common_tags +} + +control "ecs_cluster_no_active_services_count" { + title = "ECS cluster should be configured with active services" + description = "This control checks if ECS cluster have active services. This control fails if ECS cluster does not have any active services." + query = query.ecs_cluster_no_active_services_count + + tags = local.conformance_pack_ecs_common_tags +} + query "ecs_cluster_encryption_at_rest_enabled" { sql = <<-EOQ with unencrypted_volumes as ( diff --git a/conformance_pack/eks.sp b/conformance_pack/eks.sp index 74a0fb0c..bedc792e 100644 --- a/conformance_pack/eks.sp +++ b/conformance_pack/eks.sp @@ -66,6 +66,14 @@ control "eks_cluster_endpoint_public_access_restricted" { tags = local.conformance_pack_eks_common_tags } +control "eks_cluster_no_multiple_security_groups" { + title = "EKS clusters should not use multiple security groups" + description = "This controls ensures that EKS clusters is not using multiple security groups." + query = query.eks_cluster_no_multiple_security_groups + + tags = local.conformance_pack_eks_common_tags +} + query "eks_cluster_secrets_encrypted" { sql = <<-EOQ with eks_secrets_encrypted as ( @@ -234,4 +242,4 @@ query "eks_cluster_no_multiple_security_groups" { from aws_eks_cluster; EOQ -} \ No newline at end of file +} diff --git a/conformance_pack/redshift.sp b/conformance_pack/redshift.sp index 0dcd3762..58fbc5ef 100644 --- a/conformance_pack/redshift.sp +++ b/conformance_pack/redshift.sp @@ -420,3 +420,35 @@ query "redshift_cluster_automatic_upgrade_major_versions_enabled" { aws_redshift_cluster; EOQ } + +query "redshift_cluster_encrypted_with_cmk" { + sql = <<-EOQ + with encrypted_cluster as ( + select + r.arn as arn, + key_manager + from + aws_redshift_cluster as r + left join aws_kms_key as k on r.kms_key_id = k.arn + where + enabled + ) + select + r.arn as resource, + case + when not encrypted then 'alarm' + when encrypted and c.key_manager = 'CUSTOMER' then 'ok' + else 'alarm' + end as status, + case + when not encrypted then title || ' not encrypted.' + when encrypted and c.key_manager = 'CUSTOMER' then title || ' encrypted with CMK.' + else title || ' not encrypted with CMK.' + end as reason + ${local.tag_dimensions_sql} + ${local.common_dimensions_sql} + from + aws_redshift_cluster as r + left join encrypted_cluster as c on r.arn = c.arn; + EOQ +} \ No newline at end of file diff --git a/conformance_pack/sqs.sp b/conformance_pack/sqs.sp index 00f9c024..d8ece21a 100644 --- a/conformance_pack/sqs.sp +++ b/conformance_pack/sqs.sp @@ -28,6 +28,14 @@ control "sqs_queue_dead_letter_queue_configured" { tags = local.conformance_pack_sqs_common_tags } +control "sqs_queue_encrypted_with_kms_cmk" { + title = "SQS queues should be encrypted with KMS CMK" + description = "To help protect sensitive data at rest, ensure encryption is enabled for your AWS SQS queues with KMS CMK." + query = query.sqs_queue_encrypted_with_kms_cmk + + tags = local.conformance_pack_sqs_common_tags +} + query "sqs_queue_policy_prohibit_public_access" { sql = <<-EOQ with wildcard_action_policies as ( diff --git a/conformance_pack/ssm.sp b/conformance_pack/ssm.sp index fc2e7603..a5311965 100644 --- a/conformance_pack/ssm.sp +++ b/conformance_pack/ssm.sp @@ -90,6 +90,14 @@ control "ssm_document_prohibit_public_access" { }) } +control "ssm_parameter_encryption_enabled" { + title = "SSM parameters encryption should be enabled" + description = "This control checks if SSM parameter has encryption enabled." + query = query.ssm_parameter_encryption_enabled + + tags = local.conformance_pack_ssm_common_tags +} + query "ec2_instance_ssm_managed" { sql = <<-EOQ select diff --git a/conformance_pack/vpc.sp b/conformance_pack/vpc.sp index 72bb2cce..c48ffdbc 100644 --- a/conformance_pack/vpc.sp +++ b/conformance_pack/vpc.sp @@ -423,6 +423,14 @@ control "vpc_peering_connection_route_table_least_privilege" { tags = local.conformance_pack_vpc_common_tags } +control "vpc_not_in_use" { + title = "VPCs should be in use" + description = "This control checks whether there are any unused VPCs." + query = query.vpc_not_in_use + + tags = local.conformance_pack_vpc_common_tags +} + query "vpc_flow_logs_enabled" { sql = <<-EOQ select @@ -1811,4 +1819,31 @@ query "vpc_not_in_use" { aws_vpc as v left join vpc_without_subnet as s on s.vpc_id = v.vpc_id EOQ +} + +query "vpc_vpn_gateway_per_region_less_then_4" { + sql = <<-EOQ + with vpn_gateway_per_region as ( + select + count(*), + region, + account_id + from + aws_vpc_vpn_gateway + group by + region, + account_id + ) + select + 'arn:' || r.partition || '::' || r.region || ':' || r.account_id as resource, + case + when v.count > 3 then 'alarm' + else 'ok' + end as status, + r.region || ' region has ' || coalesce(v.count, 0) || ' VPN gateway(s).' as reason + --${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "r.")} + from + aws_region as r + left join vpn_gateway_per_region as v on r.account_id = v.account_id and r.region = v.region; + EOQ } \ No newline at end of file From 0e780d2365436ff270ad7efd41db4723c37bac58 Mon Sep 17 00:00:00 2001 From: khushboo9024 Date: Sun, 3 Dec 2023 19:40:41 +0530 Subject: [PATCH 08/25] add controls --- all_controls/elasticache.sp | 3 ++- all_controls/elb.sp | 4 +++- all_controls/emr.sp | 3 ++- all_controls/redshift.sp | 3 ++- all_controls/sns.sp | 5 ++++- conformance_pack/elasticache.sp | 8 ++++++++ conformance_pack/elb.sp | 16 ++++++++++++++++ conformance_pack/emr.sp | 8 ++++++++ conformance_pack/redshift.sp | 8 ++++++++ conformance_pack/sns.sp | 24 ++++++++++++++++++++++++ 10 files changed, 77 insertions(+), 5 deletions(-) diff --git a/all_controls/elasticache.sp b/all_controls/elasticache.sp index 8407bd00..22d278da 100644 --- a/all_controls/elasticache.sp +++ b/all_controls/elasticache.sp @@ -14,7 +14,8 @@ benchmark "all_controls_elasticache" { control.elasticache_replication_group_auto_failover_enabled, control.elasticache_replication_group_encryption_at_rest_enabled, control.elasticache_replication_group_encryption_in_transit_enabled, - control.elasticache_replication_group_redis_auth_enabled + control.elasticache_replication_group_redis_auth_enabled, + control.elasticache_replication_group_encryption_at_rest_enabled_with_kms_cmk, ] tags = merge(local.all_controls_elasticache_common_tags, { diff --git a/all_controls/elb.sp b/all_controls/elb.sp index 8ca6afe2..45c3bf4c 100644 --- a/all_controls/elb.sp +++ b/all_controls/elb.sp @@ -30,7 +30,9 @@ benchmark "all_controls_elb" { control.elb_classic_lb_with_outbound_rule, control.elb_listener_use_secure_ssl_cipher, control.elb_network_lb_tls_listener_security_policy_configured, - control.elb_tls_listener_protocol_version + control.elb_tls_listener_protocol_version, + control.elb_classic_lb_no_registered_instance, + control.elb_classic_lb_with_inbound_rule, ] tags = merge(local.all_controls_elb_common_tags, { diff --git a/all_controls/emr.sp b/all_controls/emr.sp index e024b7f7..e525d246 100644 --- a/all_controls/emr.sp +++ b/all_controls/emr.sp @@ -10,7 +10,8 @@ benchmark "all_controls_emr" { children = [ control.emr_account_public_access_blocked, control.emr_cluster_kerberos_enabled, - control.emr_cluster_master_nodes_no_public_ip + control.emr_cluster_master_nodes_no_public_ip, + control.emr_cluster_security_configuration_enabled, ] tags = merge(local.all_controls_emr_common_tags, { diff --git a/all_controls/redshift.sp b/all_controls/redshift.sp index de3c2f3b..eb422371 100644 --- a/all_controls/redshift.sp +++ b/all_controls/redshift.sp @@ -18,7 +18,8 @@ benchmark "all_controls_redshift" { control.redshift_cluster_maintenance_settings_check, control.redshift_cluster_no_default_admin_name, control.redshift_cluster_no_default_database_name, - control.redshift_cluster_prohibit_public_access + control.redshift_cluster_prohibit_public_access, + control.redshift_cluster_encrypted_with_cmk, ] tags = merge(local.all_controls_redshift_common_tags, { diff --git a/all_controls/sns.sp b/all_controls/sns.sp index 51ab9cca..25439064 100644 --- a/all_controls/sns.sp +++ b/all_controls/sns.sp @@ -10,7 +10,10 @@ benchmark "all_controls_sns" { children = [ control.sns_topic_encrypted_at_rest, control.sns_topic_notification_delivery_status_enabled, - control.sns_topic_policy_prohibit_public_access + control.sns_topic_policy_prohibit_public_access, + control.sns_topic_policy_prohibit_publishing_access, + control.sns_topic_policy_prohibit_subscription_access, + control.sns_topic_policy_prohibit_cross_account_access, ] tags = merge(local.all_controls_sns_common_tags, { diff --git a/conformance_pack/elasticache.sp b/conformance_pack/elasticache.sp index 99302f92..768f1e79 100644 --- a/conformance_pack/elasticache.sp +++ b/conformance_pack/elasticache.sp @@ -77,6 +77,14 @@ control "elasticache_redis_cluster_automatic_backup_retention_15_days" { }) } +control "elasticache_replication_group_encryption_at_rest_enabled_with_kms_cmk" { + title = "ElastiCache for Redis replication groups should be encrypted with CMK" + description = "Ensure ElastiCache for Redis replication group are encrypted using CMK. The rule is non-compliant if the ElastiCache for Redis replication group is not encrypted using CMK." + query = query.elasticache_replication_group_encryption_at_rest_enabled_with_kms_cmk + + tags = local.conformance_pack_elasticache_common_tags +} + query "elasticache_redis_cluster_automatic_backup_retention_15_days" { sql = <<-EOQ select diff --git a/conformance_pack/elb.sp b/conformance_pack/elb.sp index 20167e05..b89f274d 100644 --- a/conformance_pack/elb.sp +++ b/conformance_pack/elb.sp @@ -321,6 +321,22 @@ control "elb_application_gateway_network_lb_multiple_az_configured" { }) } +control "elb_classic_lb_no_registered_instance" { + title = "ELB classic load balancers should have at least one registered instance" + description = "This control checks whether an ELB classic load balancers has registered instances. The control fails if an ELB classic load balancer has zero instances registered." + query = query.elb_classic_lb_no_registered_instance + + tags = local.foundational_security_elb_common_tags +} + +control "elb_classic_lb_with_inbound_rule" { + title = "ELB classic load balancers should have at least one inbound rule" + description = "Ensure classic load balancers have at least one inbound rule in all the attached security groups." + query = query.elb_classic_lb_with_inbound_rule + + tags = local.foundational_security_elb_common_tags +} + query "elb_application_classic_lb_logging_enabled" { sql = <<-EOQ ( diff --git a/conformance_pack/emr.sp b/conformance_pack/emr.sp index 4b1fef1a..fc881a10 100644 --- a/conformance_pack/emr.sp +++ b/conformance_pack/emr.sp @@ -54,6 +54,14 @@ control "emr_cluster_master_nodes_no_public_ip" { }) } +control "emr_cluster_security_configuration_enabled" { + title = "EMR clusters should have security configuration enabled" + description = "Ensure EMR cluster have security configuration enabled. This control fails if security configuration is not enabled for EMR cluster." + query = query.emr_cluster_security_configuration_enabled + + tags = local.conformance_pack_emr_common_tags +} + query "emr_account_public_access_blocked" { sql = <<-EOQ select diff --git a/conformance_pack/redshift.sp b/conformance_pack/redshift.sp index 58fbc5ef..95686c93 100644 --- a/conformance_pack/redshift.sp +++ b/conformance_pack/redshift.sp @@ -196,6 +196,14 @@ control "redshift_cluster_no_default_database_name" { }) } +control "redshift_cluster_encrypted_with_cmk" { + title = "Redshift clusters should be encrypted with CMK" + description = "Ensure Redshift cluster is encrypted using CMK. The rule is non-compliant if the Redshift clusters is not encrypted using CMK." + query = query.redshift_cluster_encrypted_with_cmk + + tags = local.conformance_pack_redshift_common_tags +} + query "redshift_cluster_encryption_in_transit_enabled" { sql = <<-EOQ with pg_with_ssl as ( diff --git a/conformance_pack/sns.sp b/conformance_pack/sns.sp index 7c40965c..f28e5328 100644 --- a/conformance_pack/sns.sp +++ b/conformance_pack/sns.sp @@ -46,6 +46,30 @@ control "sns_topic_notification_delivery_status_enabled" { }) } +control "sns_topic_policy_prohibit_publishing_access" { + title = "SNS topic policies should prohibit publishing access" + description = "Manage access to resources in the AWS Cloud by ensuring AWS SNS topics cannot accessed publicly for .publishing" + query = query.sns_topic_policy_prohibit_publishing_access + + tags = local.conformance_pack_sns_common_tags +} + +control "sns_topic_policy_prohibit_subscription_access" { + title = "SNS topic policies should subscription public access" + description = "Manage access to resources in the AWS Cloud by ensuring AWS SNS topics cannot accessed publicly for subscription" + query = query.sns_topic_policy_prohibit_subscription_access + + tags = local.conformance_pack_sns_common_tags +} + +control "sns_topic_policy_prohibit_cross_account_access" { + title = "SNS topic policies should prohibit cross account access" + description = "Manage access to resources in the AWS Cloud by ensuring AWS SNS topics does not have cross account access." + query = query.sns_topic_policy_prohibit_cross_account_access + + tags = local.conformance_pack_sns_common_tags +} + query "sns_topic_encrypted_at_rest" { sql = <<-EOQ select From 302c3a59d35464c80e4a6a826c0c7608f4d8d635 Mon Sep 17 00:00:00 2001 From: khushboo9024 Date: Sun, 3 Dec 2023 20:53:40 +0530 Subject: [PATCH 09/25] update --- all_controls/acm.sp | 3 ++- all_controls/rds.sp | 3 ++- conformance_pack/acm.sp | 24 ++++++++++++++++++++++++ conformance_pack/rds.sp | 29 +++++++++++++++++++++++++++++ 4 files changed, 57 insertions(+), 2 deletions(-) diff --git a/all_controls/acm.sp b/all_controls/acm.sp index 7862f211..4b7d5ebc 100644 --- a/all_controls/acm.sp +++ b/all_controls/acm.sp @@ -12,7 +12,8 @@ benchmark "all_controls_acm" { control.acm_certificate_no_wildcard_domain_name, control.acm_certificate_transparency_logging_enabled, control.acm_certificate_not_expired, - control.acm_certificate_no_failed_certificate + control.acm_certificate_no_failed_certificate, + control.acm_certificate_no_pending_validation_certificate, ] tags = merge(local.all_controls_acm_common_tags, { diff --git a/all_controls/rds.sp b/all_controls/rds.sp index 09b6f4a4..15e42d52 100644 --- a/all_controls/rds.sp +++ b/all_controls/rds.sp @@ -39,7 +39,8 @@ benchmark "all_controls_rds" { control.rds_db_parameter_group_events_subscription, control.rds_db_security_group_events_subscription, control.rds_db_snapshot_encrypted_at_rest, - control.rds_db_snapshot_prohibit_public_access + control.rds_db_snapshot_prohibit_public_access, + control.rds_db_cluster_aurora_postgres_not_exposed_to_local_file_read_vulnerability, ] tags = merge(local.all_controls_rds_common_tags, { diff --git a/conformance_pack/acm.sp b/conformance_pack/acm.sp index f94740bc..ad7dfaa1 100644 --- a/conformance_pack/acm.sp +++ b/conformance_pack/acm.sp @@ -59,6 +59,14 @@ control "acm_certificate_no_failed_certificate" { tags = local.conformance_pack_acm_common_tags } +control "acm_certificate_no_pending_validation_certificate" { + title = "Ensure that ACM certificates are not in pending validation state" + description = "This control ensures that ACM certificates are not in pending validation state. When certificates are not validated within 72 hours after the request is made, those certificates become invalid." + query = query.acm_certificate_no_pending_validation_certificate + + tags = local.conformance_pack_acm_common_tags +} + query "acm_certificate_expires_30_days" { sql = <<-EOQ select @@ -157,4 +165,20 @@ query "acm_certificate_no_failed_certificate" { from aws_acm_certificate; EOQ +} + +query "acm_certificate_no_pending_validation_certificate" { + sql = <<-EOQ + select + certificate_arn as resource, + case + when status = 'PENDING_VALIDATION' then 'info' + else 'ok' + end as status, + title || ' status is ' || status || '.' as reason + ${local.tag_dimensions_sql} + ${local.common_dimensions_sql} + from + aws_acm_certificate; + EOQ } \ No newline at end of file diff --git a/conformance_pack/rds.sp b/conformance_pack/rds.sp index b11db47d..1b958bba 100644 --- a/conformance_pack/rds.sp +++ b/conformance_pack/rds.sp @@ -466,6 +466,14 @@ control "rds_db_instance_connections_encryption_enabled" { tags = local.conformance_pack_rds_common_tags } +control "rds_db_cluster_aurora_postgres_not_exposed_to_local_file_read_vulnerability" { + title = "RDS Aurora PostgreSQL clusters should not be exposed to local file read vulnerability" + description = "This control checks whether AWS Aurora PostgreSQL clusters are exposed to local file read vulnerability by ensuring that AWS RDS PostgreSQL instances use a non-vulnerable version of the log_fdw." + query = query.rds_db_cluster_aurora_postgres_not_exposed_to_local_file_read_vulnerability + + tags = local.conformance_pack_rds_common_tags +} + query "rds_db_instance_backup_enabled" { sql = <<-EOQ select @@ -1270,3 +1278,24 @@ query "rds_db_cluster_encryption_at_rest_enabled" { aws_rds_db_cluster; EOQ } + +query "rds_db_cluster_aurora_postgres_not_exposed_to_local_file_read_vulnerability" { + sql = <<-EOQ + select + arn as resource, + case + when not engine ilike '%aurora-postgres%' then 'skip' + when engine ilike '%aurora-postgres%' and engine_version like any (array ['10.11', '10.12', '10.13', '11.6', '11.7', '11.8']) then 'alarm' + else 'ok' + end as status, + case + when not engine ilike '%aurora-postgres%' then title || ' not Aurora PostgreSQL edition.' + when engine ilike '%aurora-postgres%' and engine_version like any (array ['10.11', '10.12', '10.13', '11.6', '11.7', '11.8']) then title || ' exposed to local file read vulnerability.' + else title || ' not exposed to local file read vulnerability.' + end as reason + ${local.tag_dimensions_sql} + ${local.common_dimensions_sql} + from + aws_rds_db_instance; + EOQ +} \ No newline at end of file From 771a33e7d9d6fcf22f61cff3e1bd46e09158a771 Mon Sep 17 00:00:00 2001 From: khushboo9024 Date: Sun, 3 Dec 2023 21:06:31 +0530 Subject: [PATCH 10/25] update --- all_controls/kinesis.sp | 3 ++- conformance_pack/kinesis.sp | 28 ++++++++++++++++++++++++++++ 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/all_controls/kinesis.sp b/all_controls/kinesis.sp index 86106d9c..e449c9cb 100644 --- a/all_controls/kinesis.sp +++ b/all_controls/kinesis.sp @@ -9,7 +9,8 @@ benchmark "all_controls_kinesis" { description = "This section contains recommendations for configuring Kinesis resources." children = [ control.kinesis_stream_encrypted_with_kms_cmk, - control.kinesis_stream_server_side_encryption_enabled + control.kinesis_stream_server_side_encryption_enabled, + control.kinesis_firehose_delivery_stream_server_side_encryption_enabled, ] tags = merge(local.all_controls_kinesis_common_tags, { diff --git a/conformance_pack/kinesis.sp b/conformance_pack/kinesis.sp index 10eb3c91..b30de38c 100644 --- a/conformance_pack/kinesis.sp +++ b/conformance_pack/kinesis.sp @@ -25,6 +25,15 @@ control "kinesis_stream_encrypted_with_kms_cmk" { tags = local.conformance_pack_kinesis_common_tags } +control "kinesis_firehose_delivery_stream_server_side_encryption_enabled" { + title = "Kinesis firehose delivery streams should have server side encryption enabled" + description = "Enable server side encryption (SSE) of your AWS Kinesis firehose delivery stream, in order to protect your data and metadata from breaches or unauthorized access, and fulfill compliance requirements for data-at-rest encryption within your organization." + query = query.kinesis_firehose_delivery_stream_server_side_encryption_enabled + + tags = local.conformance_pack_kinesis_common_tags + }) +} + query "kinesis_stream_server_side_encryption_enabled" { sql = <<-EOQ select @@ -62,3 +71,22 @@ query "kinesis_stream_encrypted_with_kms_cmk" { aws_kinesis_stream; EOQ } + +query "kinesis_firehose_delivery_stream_server_side_encryption_enabled" { + sql = <<-EOQ + select + arn as resource, + case + when delivery_stream_encryption_configuration ->> 'Status' = 'ENABLED' then 'ok' + else 'alarm' + end as status, + case + when delivery_stream_encryption_configuration ->> 'Status' = 'ENABLED' then title || ' server side encryption enabled.' + else title || ' server side encryption disabled.' + end as reason + ${local.tag_dimensions_sql} + ${local.common_dimensions_sql} + from + aws_kinesis_firehose_delivery_stream; + EOQ +} From 221db8c28bad2f5dbe9933d2e0d428233fa63858 Mon Sep 17 00:00:00 2001 From: khushboo9024 Date: Sun, 3 Dec 2023 21:49:12 +0530 Subject: [PATCH 11/25] update --- all_controls/rds.sp | 2 ++ conformance_pack/kinesis.sp | 1 - conformance_pack/rds.sp | 66 ++++++++++++++++++++++++++++++++++++- 3 files changed, 67 insertions(+), 2 deletions(-) diff --git a/all_controls/rds.sp b/all_controls/rds.sp index 15e42d52..74706d40 100644 --- a/all_controls/rds.sp +++ b/all_controls/rds.sp @@ -41,6 +41,8 @@ benchmark "all_controls_rds" { control.rds_db_snapshot_encrypted_at_rest, control.rds_db_snapshot_prohibit_public_access, control.rds_db_cluster_aurora_postgres_not_exposed_to_local_file_read_vulnerability, + control.rds_db_cluster_encrypted_with_cmk, + control.rds_db_instance_backup_retention_period_less_than_7, ] tags = merge(local.all_controls_rds_common_tags, { diff --git a/conformance_pack/kinesis.sp b/conformance_pack/kinesis.sp index b30de38c..e2dd2c23 100644 --- a/conformance_pack/kinesis.sp +++ b/conformance_pack/kinesis.sp @@ -31,7 +31,6 @@ control "kinesis_firehose_delivery_stream_server_side_encryption_enabled" { query = query.kinesis_firehose_delivery_stream_server_side_encryption_enabled tags = local.conformance_pack_kinesis_common_tags - }) } query "kinesis_stream_server_side_encryption_enabled" { diff --git a/conformance_pack/rds.sp b/conformance_pack/rds.sp index 1b958bba..9ed95f93 100644 --- a/conformance_pack/rds.sp +++ b/conformance_pack/rds.sp @@ -474,6 +474,22 @@ control "rds_db_cluster_aurora_postgres_not_exposed_to_local_file_read_vulnerabi tags = local.conformance_pack_rds_common_tags } +control "rds_db_cluster_encrypted_with_cmk" { + title = "RDS DB clusters should be encrypted with CMK" + description = "Ensure RDS DB cluster is encrypted using CMK. The rule is non-compliant if the RDS DB cluster is not encrypted using CMK." + query = query.rds_db_cluster_encrypted_with_cmk + + tags = local.conformance_pack_rds_common_tags +} + +control "rds_db_instance_backup_retention_period_less_than_7" { + title = "RDS DB instances backup retention period should be greater than or equal to 7" + description = "Ensure RDS DB instance backup retention period is greater than or equal to 7." + query = query.rds_db_instance_backup_retention_period_less_than_7 + + tags = local.conformance_pack_rds_common_tags +} + query "rds_db_instance_backup_enabled" { sql = <<-EOQ select @@ -493,6 +509,22 @@ query "rds_db_instance_backup_enabled" { EOQ } +query "rds_db_instance_backup_retention_period_less_than_7" { + sql = <<-EOQ + select + arn as resource, + case + when backup_retention_period < 7 then 'alarm' + else 'ok' + end as status, + title || ' backup retention period set to ' || backup_retention_period || '.' as reason + ${local.tag_dimensions_sql} + ${local.common_dimensions_sql} + from + aws_rds_db_instance; + EOQ +} + query "rds_db_instance_encryption_at_rest_enabled" { sql = <<-EOQ select @@ -1298,4 +1330,36 @@ query "rds_db_cluster_aurora_postgres_not_exposed_to_local_file_read_vulnerabili from aws_rds_db_instance; EOQ -} \ No newline at end of file +} + +query "rds_db_cluster_encrypted_with_cmk" { + sql = <<-EOQ + with encrypted_cluster as ( + select + c.arn as arn, + key_manager + from + aws_rds_db_cluster as c + left join aws_kms_key as k on c.kms_key_id = k.arn + where + enabled + ) + select + c.arn as resource, + case + when not storage_encrypted then 'alarm' + when storage_encrypted and e.key_manager = 'CUSTOMER' then 'ok' + else 'alarm' + end as status, + case + when not storage_encrypted then title || ' not encrypted.' + when storage_encrypted and e.key_manager = 'CUSTOMER' then title || ' encrypted with CMK.' + else title || ' not encrypted with CMK.' + end as reason + ${local.tag_dimensions_sql} + ${local.common_dimensions_sql} + from + aws_rds_db_cluster as c + left join encrypted_cluster as e on c.arn = e.arn; + EOQ +} From 7d6dc51f5445dc35e9317ecbdd6c066bde52ddb7 Mon Sep 17 00:00:00 2001 From: khushboo9024 Date: Sun, 3 Dec 2023 22:52:27 +0530 Subject: [PATCH 12/25] update --- all_controls/rds.sp | 1 + conformance_pack/rds.sp | 90 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 91 insertions(+) diff --git a/all_controls/rds.sp b/all_controls/rds.sp index 74706d40..0dcd266a 100644 --- a/all_controls/rds.sp +++ b/all_controls/rds.sp @@ -43,6 +43,7 @@ benchmark "all_controls_rds" { control.rds_db_cluster_aurora_postgres_not_exposed_to_local_file_read_vulnerability, control.rds_db_cluster_encrypted_with_cmk, control.rds_db_instance_backup_retention_period_less_than_7, + control.rds_db_instance_no_public_subnet, ] tags = merge(local.all_controls_rds_common_tags, { diff --git a/conformance_pack/rds.sp b/conformance_pack/rds.sp index 9ed95f93..a334fa40 100644 --- a/conformance_pack/rds.sp +++ b/conformance_pack/rds.sp @@ -490,6 +490,14 @@ control "rds_db_instance_backup_retention_period_less_than_7" { tags = local.conformance_pack_rds_common_tags } +control "rds_db_instance_no_public_subnet" { + title = "RDS DB instances should not use public_subnet" + description = "This control checks if RDS DB instance is configured with public subnet as there is a risk of exposing sensitive data." + query = query.rds_db_instance_no_public_subnet + + tags = local.conformance_pack_rds_common_tags +} + query "rds_db_instance_backup_enabled" { sql = <<-EOQ select @@ -1363,3 +1371,85 @@ query "rds_db_cluster_encrypted_with_cmk" { left join encrypted_cluster as e on c.arn = e.arn; EOQ } + +query "rds_db_instance_no_public_subnet" { + sql = <<-EOQ + with subnets_with_explicit_route as ( + select + distinct ( a ->> 'SubnetId') as all_sub + from + aws_vpc_route_table as t, + jsonb_array_elements(associations) as a + where + a ->> 'SubnetId' is not null + ), public_subnets_with_explicit_route as ( + select + distinct a ->> 'SubnetId' as SubnetId + from + aws_vpc_route_table as t, + jsonb_array_elements(associations) as a, + jsonb_array_elements(routes) as r + where + r ->> 'DestinationCidrBlock' = '0.0.0.0/0' + and + ( + r ->> 'GatewayId' like 'igw-%' + or r ->> 'NatGatewayId' like 'nat-%' + ) + and a ->> 'SubnetId' is not null + ), public_subnets_with_implicit_route as ( + select + distinct route_table_id, + vpc_id, + region + from + aws_vpc_route_table as t, + jsonb_array_elements(associations) as a, + jsonb_array_elements(routes) as r + where + a ->> 'Main' = 'true' + and r ->> 'DestinationCidrBlock' = '0.0.0.0/0' + and ( + r ->> 'GatewayId' like 'igw-%' + or r ->> 'NatGatewayId' like 'nat-%' + ) + ), subnet_accessibility as ( + select + subnet_id, + vpc_id, + case + when s.subnet_id in (select all_sub from subnets_with_explicit_route where all_sub not in (select SubnetId from public_subnets_with_explicit_route )) then 'private' + when p.SubnetId is not null or s.vpc_id in ( select vpc_id from public_subnets_with_implicit_route) then 'public' + else 'private' + end as access + from + aws_vpc_subnet as s + left join public_subnets_with_explicit_route as p on p.SubnetId = s.subnet_id + ), cluster_public_subnet as ( + select + distinct arn, + name as subnet_group_name + from + aws_rds_db_subnet_group, + jsonb_array_elements(subnets) as s + left join subnet_accessibility as a on a.subnet_id = s ->> 'SubnetIdentifier' + where + a.access = 'public' + ) + select + c.arn as resource, + case + when s.subnet_group_name is not null then 'alarm' + else 'ok' + end as status, + case + when s.subnet_group_name is not null then c.title || ' has public subnet.' + else c.title || ' has private subnet.' + end as reason + ${local.tag_dimensions_sql} + ${local.common_dimensions_sql} + from + aws_rds_db_instance as c + left join cluster_public_subnet as s on s.subnet_group_name = c.db_subnet_group_name; + EOQ +} \ No newline at end of file From 18a96f258055c6d2c1370f62b770d5a8a483b271 Mon Sep 17 00:00:00 2001 From: khushboo9024 Date: Sun, 3 Dec 2023 23:16:24 +0530 Subject: [PATCH 13/25] update --- all_controls/s3.sp | 3 ++- conformance_pack/s3.sp | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 39 insertions(+), 1 deletion(-) diff --git a/all_controls/s3.sp b/all_controls/s3.sp index a34725eb..25b88a62 100644 --- a/all_controls/s3.sp +++ b/all_controls/s3.sp @@ -29,7 +29,8 @@ benchmark "all_controls_s3" { control.s3_bucket_versioning_enabled, control.s3_public_access_block_account, control.s3_public_access_block_bucket, - control.s3_public_access_block_bucket_account + control.s3_public_access_block_bucket_account, + control.s3_bucket_not_accessible_to_all_authenticated_user ] tags = merge(local.all_controls_s3_common_tags, { diff --git a/conformance_pack/s3.sp b/conformance_pack/s3.sp index eb950ba0..d3ab95e6 100644 --- a/conformance_pack/s3.sp +++ b/conformance_pack/s3.sp @@ -379,6 +379,14 @@ control "s3_bucket_acls_should_prohibit_user_access" { }) } +control "s3_bucket_not_accessible_to_all_authenticated_user" { + title = "S3 buckets ACL should not all accessible to all authenticated user" + description = "This control checks whether AWS S3 buckets ACLs allow access to all authenticated users." + query = query.s3_bucket_not_accessible_to_all_authenticated_user + + tags =local.conformance_pack_s3_common_tags +} + query "s3_bucket_cross_region_replication_enabled" { sql = <<-EOQ with bucket_with_replication as ( @@ -1131,3 +1139,32 @@ query "s3_bucket_protected_by_macie" { left join bucket_list as l on b.name = l.bucket_name; EOQ } + +query "s3_bucket_not_accessible_to_all_authenticated_user" { + sql = <<-EOQ + with public_acl as ( + select + distinct name + from + aws_s3_bucket, + jsonb_array_elements(acl -> 'Grants') as grants + where + grants -> 'Grantee' ->> 'URI' = 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers' + ) + select + b.arn as resource, + case + when p.name is null then 'ok' + else 'alarm' + end status, + case + when p.name is null then b.title || ' not accessible to all authenticated_user.' + else b.title || ' accessible to all authenticated_user.' + end as reason + ${local.tag_dimensions_sql} + ${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "b.")} + from + aws_s3_bucket as b + left join public_acl as p on b.name = p.name; + EOQ +} \ No newline at end of file From f74e3e3e26ab12762dee7042bc326a6811a38f3e Mon Sep 17 00:00:00 2001 From: khushboo9024 Date: Wed, 6 Dec 2023 20:38:05 +0530 Subject: [PATCH 14/25] add new queries --- all_controls/ec2.sp | 3 ++- all_controls/vpc.sp | 1 + conformance_pack/ec2.sp | 56 +++++++++++++++++++++++++++++++++++++++++ conformance_pack/vpc.sp | 31 ++++++++++++++++++++++- 4 files changed, 89 insertions(+), 2 deletions(-) diff --git a/all_controls/ec2.sp b/all_controls/ec2.sp index c4c4eae9..122755fa 100644 --- a/all_controls/ec2.sp +++ b/all_controls/ec2.sp @@ -27,7 +27,8 @@ benchmark "all_controls_ec2" { control.ec2_instance_virtualization_type_no_paravirtual, control.ec2_launch_template_not_publicly_accessible, control.ec2_stopped_instance_30_days, - control.ec2_transit_gateway_auto_cross_account_attachment_disabled + control.ec2_transit_gateway_auto_cross_account_attachment_disabled, + control.ec2_instance_no_management_level_access, ] tags = merge(local.all_controls_ec2_common_tags, { diff --git a/all_controls/vpc.sp b/all_controls/vpc.sp index add8bf7c..24f3bf2e 100644 --- a/all_controls/vpc.sp +++ b/all_controls/vpc.sp @@ -43,6 +43,7 @@ benchmark "all_controls_vpc" { control.vpc_subnet_public_and_private, control.vpc_vpn_tunnel_up, control.vpc_not_in_use, + control.vpc_peering_connection_no_cross_account_access, ] tags = merge(local.all_controls_vpc_common_tags, { diff --git a/conformance_pack/ec2.sp b/conformance_pack/ec2.sp index ff4a4cb9..4e54f295 100644 --- a/conformance_pack/ec2.sp +++ b/conformance_pack/ec2.sp @@ -284,6 +284,14 @@ control "ec2_ami_restrict_public_access" { tags = local.conformance_pack_ec2_common_tags } +control "ec2_instance_no_management_level_access" { + title = "EC2 instance IAM role should not allow management level access" + description = "This control checks whether EC2 instance IAM roles should not allow management level access." + query = query.ec2_instance_no_management_level_access + + tags = local.conformance_pack_ec2_common_tags +} + query "ec2_ebs_default_encryption_enabled" { sql = <<-EOQ select @@ -722,3 +730,51 @@ query "ec2_launch_template_not_publicly_accessible" { left join launch_templates_associated_instance as i on i.launch_template_id = t.launch_template_id; EOQ } + +query "ec2_instance_no_management_level_access" { + sql = <<-EOQ + with iam_roles as ( + select + r.arn as role_arn, + i.arn as intance_arn + from + aws_iam_role as r, + jsonb_array_elements_text(instance_profile_arns) as p + left join aws_ec2_instance as i on p = i.iam_instance_profile_arn + where + i.arn is not null + ), iam_role_with_permission as ( + select + arn + from + aws_iam_role, + jsonb_array_elements(assume_role_policy_std -> 'Statement') as s, + jsonb_array_elements_text(s -> 'Principal' -> 'Service') as service, + jsonb_array_elements_text(s -> 'Action') as action + where + arn in (select role_arn from iam_roles) + and s ->> 'Effect' = 'Allow' + and service = 'ec2.amazonaws.com' + and ( + (action in ('iam:attachgrouppolicy', 'iam:attachrolepolicy', 'iam:attachuserpolicy', 'iam:createpolicy', 'iam:createpolicyversion', 'iam:deleteaccountpasswordpolicy', 'iam:deletegrouppolicy', 'iam:deletepolicy', 'iam:deletepolicyversion', 'iam:deleterolepermissionsboundary', 'iam:deleterolepolicy', 'iam:deleteuserpermissionsboundary', 'iam:deleteuserpolicy', 'iam:detachgrouppolicy', 'iam:detachrolepolicy', 'iam:detachuserpolicy', 'iam:putgrouppolicy', 'iam:putrolepermissionsboundary', 'iam:putrolepolicy', 'iam:putuserpermissionsboundary', 'iam:putuserpolicy','iam:setdefaultpolicyversion','iam:updateassumerolerolicy', 'sts:assumerole', '*:*') + ) + ) + ) + select + i.arn as resource, + case + when p.arn is null then 'ok' + else 'alarm' + end status, + case + when p.arn is null then title || ' has no management level access.' + else title || ' has management level access.' + end as reason + --${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "i.")} + --${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "i.")} + from + aws_ec2_instance as i + left join iam_roles as r on r.intance_arn = i.arn + left join iam_role_with_permission as p on p.arn = r.role_arn + EOQ +} \ No newline at end of file diff --git a/conformance_pack/vpc.sp b/conformance_pack/vpc.sp index c48ffdbc..825f1fd3 100644 --- a/conformance_pack/vpc.sp +++ b/conformance_pack/vpc.sp @@ -431,6 +431,14 @@ control "vpc_not_in_use" { tags = local.conformance_pack_vpc_common_tags } +control "vpc_peering_connection_no_cross_account_access" { + title = "VPCs peering connection should not be allowed in cross account" + description = "Ensure that all VPCs peering connection are not having cross account access." + query = query.vpc_peering_connection_no_cross_account_access + + tags = local.conformance_pack_vpc_common_tags +} + query "vpc_flow_logs_enabled" { sql = <<-EOQ select @@ -1846,4 +1854,25 @@ query "vpc_vpn_gateway_per_region_less_then_4" { aws_region as r left join vpn_gateway_per_region as v on r.account_id = v.account_id and r.region = v.region; EOQ -} \ No newline at end of file +} + +query "vpc_peering_connection_no_cross_account_access" { + sql = <<-EOQ + select + id as resource, + case + when status_code <> 'active' then 'alarm' + when requester_owner_id <> accepter_owner_id then 'alarm' + else 'ok' + end as status, + case + when status_code <> 'active' then title || ' is not in active state.' + when requester_owner_id <> accepter_owner_id then title || ' have cross account access.' + else title || ' does not have cross account access.' + end as reason + ${local.tag_dimensions_sql} + ${local.common_dimensions_sql} + from + aws_vpc_peering_connection; + EOQ +} From a8a9431153a97461beda9cefcba2e49a0ab1a67c Mon Sep 17 00:00:00 2001 From: khushboo9024 Date: Wed, 6 Dec 2023 20:39:32 +0530 Subject: [PATCH 15/25] update --- conformance_pack/ec2.sp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/conformance_pack/ec2.sp b/conformance_pack/ec2.sp index 4e54f295..c4c6a920 100644 --- a/conformance_pack/ec2.sp +++ b/conformance_pack/ec2.sp @@ -756,7 +756,7 @@ query "ec2_instance_no_management_level_access" { and s ->> 'Effect' = 'Allow' and service = 'ec2.amazonaws.com' and ( - (action in ('iam:attachgrouppolicy', 'iam:attachrolepolicy', 'iam:attachuserpolicy', 'iam:createpolicy', 'iam:createpolicyversion', 'iam:deleteaccountpasswordpolicy', 'iam:deletegrouppolicy', 'iam:deletepolicy', 'iam:deletepolicyversion', 'iam:deleterolepermissionsboundary', 'iam:deleterolepolicy', 'iam:deleteuserpermissionsboundary', 'iam:deleteuserpolicy', 'iam:detachgrouppolicy', 'iam:detachrolepolicy', 'iam:detachuserpolicy', 'iam:putgrouppolicy', 'iam:putrolepermissionsboundary', 'iam:putrolepolicy', 'iam:putuserpermissionsboundary', 'iam:putuserpolicy','iam:setdefaultpolicyversion','iam:updateassumerolerolicy', 'sts:assumerole', '*:*') + (action in ('iam:attachgrouppolicy', 'iam:attachrolepolicy', 'iam:attachuserpolicy', 'iam:createpolicy', 'iam:createpolicyversion', 'iam:deleteaccountpasswordpolicy', 'iam:deletegrouppolicy', 'iam:deletepolicy', 'iam:deletepolicyversion', 'iam:deleterolepermissionsboundary', 'iam:deleterolepolicy', 'iam:deleteuserpermissionsboundary', 'iam:deleteuserpolicy', 'iam:detachgrouppolicy', 'iam:detachrolepolicy', 'iam:detachuserpolicy', 'iam:putgrouppolicy', 'iam:putrolepermissionsboundary', 'iam:putrolepolicy', 'iam:putuserpermissionsboundary', 'iam:putuserpolicy','iam:setdefaultpolicyversion','iam:updateassumerolerolicy', '*:*') ) ) ) @@ -770,8 +770,8 @@ query "ec2_instance_no_management_level_access" { when p.arn is null then title || ' has no management level access.' else title || ' has management level access.' end as reason - --${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "i.")} - --${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "i.")} + ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "i.")} + ${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "i.")} from aws_ec2_instance as i left join iam_roles as r on r.intance_arn = i.arn From d0c00f0f023b913c53f8992aa18006af901f1c6f Mon Sep 17 00:00:00 2001 From: khushboo9024 Date: Wed, 6 Dec 2023 22:27:51 +0530 Subject: [PATCH 16/25] add new queries --- conformance_pack/ec2.sp | 192 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 192 insertions(+) diff --git a/conformance_pack/ec2.sp b/conformance_pack/ec2.sp index c4c6a920..83861040 100644 --- a/conformance_pack/ec2.sp +++ b/conformance_pack/ec2.sp @@ -777,4 +777,196 @@ query "ec2_instance_no_management_level_access" { left join iam_roles as r on r.intance_arn = i.arn left join iam_role_with_permission as p on p.arn = r.role_arn EOQ +} + +query "ec2_instance_no_data_destruction_access" { + sql = <<-EOQ + with iam_roles as ( + select + r.arn as role_arn, + i.arn as intance_arn + from + aws_iam_role as r, + jsonb_array_elements_text(instance_profile_arns) as p + left join aws_ec2_instance as i on p = i.iam_instance_profile_arn + where + i.arn is not null + ), iam_role_with_permission as ( + select + arn + from + aws_iam_role, + jsonb_array_elements(assume_role_policy_std -> 'Statement') as s, + jsonb_array_elements_text(s -> 'Principal' -> 'Service') as service, + jsonb_array_elements_text(s -> 'Action') as action + where + arn in (select role_arn from iam_roles) + and s ->> 'Effect' = 'Allow' + and service = 'ec2.amazonaws.com' + and ( + (action in ('s3:deletebucket', 'rds:deletedbcluster', 'rds:deletedbinstance', 'rds:deleteDBSnapshot', 'rds:deletedbclustersnapshot', 'rds:deleteglobalcluster', 'ec2:deletesnapshot', 'ec2:deletevolume', '*:*') + ) + ) + ) + select + i.arn as resource, + case + when p.arn is null then 'ok' + else 'alarm' + end status, + case + when p.arn is null then title || ' has no data destruction access.' + else title || ' has data destruction access.' + end as reason + ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "i.")} + ${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "i.")} + from + aws_ec2_instance as i + left join iam_roles as r on r.intance_arn = i.arn + left join iam_role_with_permission as p on p.arn = r.role_arn; + EOQ +} + +query "ec2_instance_no_iam_write_level_access" { + sql = <<-EOQ + with iam_roles as ( + select + r.arn as role_arn, + i.arn as intance_arn + from + aws_iam_role as r, + jsonb_array_elements_text(instance_profile_arns) as p + left join aws_ec2_instance as i on p = i.iam_instance_profile_arn + where + i.arn is not null + ), iam_role_with_permission as ( + select + arn + from + aws_iam_role, + jsonb_array_elements(assume_role_policy_std -> 'Statement') as s, + jsonb_array_elements_text(s -> 'Principal' -> 'Service') as service, + jsonb_array_elements_text(s -> 'Action') as action + where + arn in (select role_arn from iam_roles) + and s ->> 'Effect' = 'Allow' + and service = 'ec2.amazonaws.com' + and ( + (action in ('iam:addclientidtoopenidconnectprovider','iam:addroletoinstanceprofile','iam:addusertogroup','iam:changepassword','iam:createaccesskey','iam:createaccountalias','iam:creategroup','iam:createinstanceprofile','iam:createloginprofile','iam:createopenidconnectprovider','iam:createrole','iam:createsamlprovider','iam:createservicelinkedrole','iam:createservicespecificcredential','iam:createuser','iam:createvirtualmfadevice','iam:deactivatemfadevice','iam:deleteaccesskey','iam:deleteaccountalias','iam:deletegroup','iam:deleteinstanceprofile','iam:deleteloginprofile','iam:deleteopenidconnectprovider','iam:deleterole','iam:deletesamlprovider','iam:deletesshpublickey','iam:deleteservercertificate','iam:deleteservicelinkedrole','iam:deleteservicespecificcredential','iam:deletesigningcertificate','iam:deleteUser','iam:deletevirtualmfadevice','iam:enablemfadevice','iam:passrole','iam:removeclientidfromopenidconnectprovider','iam:removerolefrominstanceprofile','iam:removeuserfromgroup','iam:resetservicespecificcredential','iam:resyncmfadevice','iam:setsecuritytokenservicepreferences','iam:updateaccesskey','iam:updateaccountpasswordpolicy','iam:updategroup','iam:updateloginprofile','iam:updateopenidconnectproviderthumbprint','iam:updaterole','iam:updateroledescription','iam:updatesamlprovider','iam:updatesshpublicKey','iam:updateservercertificate','iam:updateservicespecificcredential','iam:updatesigningcertificate','iam:updateuser','iam:uploadsshpublicKey','iam:uploadservercertificate','iam:uploadsigningcertificate' ,'*:*') + ) + ) + ) + select + i.arn as resource, + case + when p.arn is null then 'ok' + else 'alarm' + end status, + case + when p.arn is null then title || ' has no IAM rite level access.' + else title || ' has IAM write level access.' + end as reason + ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "i.")} + ${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "i.")} + from + aws_ec2_instance as i + left join iam_roles as r on r.intance_arn = i.arn + left join iam_role_with_permission as p on p.arn = r.role_arn; + EOQ +} + +query "ec2_instance_no_database_management_write_access" { + sql = <<-EOQ + with iam_roles as ( + select + r.arn as role_arn, + i.arn as intance_arn + from + aws_iam_role as r, + jsonb_array_elements_text(instance_profile_arns) as p + left join aws_ec2_instance as i on p = i.iam_instance_profile_arn + where + i.arn is not null + ), iam_role_with_permission as ( + select + arn + from + aws_iam_role, + jsonb_array_elements(assume_role_policy_std -> 'Statement') as s, + jsonb_array_elements_text(s -> 'Principal' -> 'Service') as service, + jsonb_array_elements_text(s -> 'Action') as action + where + arn in (select role_arn from iam_roles) + and s ->> 'Effect' = 'Allow' + and service = 'ec2.amazonaws.com' + and ( + (action in ('rds:modifydbcluster','rds:modifydbclusterendpoint','rds:modifydbinstance','rds:modifydbsnapshot','rds:modifyglobalcluster','dynamodb:updateitem','dynamodb:updatetable','memorydb:updatecluster','neptune-db:resetdatabase','neptune-db:writedataviaquery','docdb-elastic:updatecluster','elasticache:modifycachecluster','cassandra:alter','cassandra:modify','qldb:executestatement','qldb:partiqlupdate','qldb:sendcommand','qldb:updateledger','redshift:modifycluster','redshift:modifyclustersnapshot','redshift:modifyendpointaccess','timestream:updatedatabase','timestream:updatetable','timestream:writerecords', '*:*') + ) + ) + ) + select + i.arn as resource, + case + when p.arn is null then 'ok' + else 'alarm' + end status, + case + when p.arn is null then title || ' has no database management write level access.' + else title || ' has database management write level access.' + end as reason + ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "i.")} + ${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "i.")} + from + aws_ec2_instance as i + left join iam_roles as r on r.intance_arn = i.arn + left join iam_role_with_permission as p on p.arn = r.role_arn; + EOQ +} + +query "ec2_instance_no_org_write_access" { + sql = <<-EOQ + with iam_roles as ( + select + r.arn as role_arn, + i.arn as intance_arn + from + aws_iam_role as r, + jsonb_array_elements_text(instance_profile_arns) as p + left join aws_ec2_instance as i on p = i.iam_instance_profile_arn + where + i.arn is not null + ), iam_role_with_permission as ( + select + arn + from + aws_iam_role, + jsonb_array_elements(assume_role_policy_std -> 'Statement') as s, + jsonb_array_elements_text(s -> 'Principal' -> 'Service') as service, + jsonb_array_elements_text(s -> 'Action') as action + where + arn in (select role_arn from iam_roles) + and s ->> 'Effect' = 'Allow' + and service = 'ec2.amazonaws.com' + and ( + (action in ('organizations:accepthandshake','organizations:attachpolicy','organizations:cancelhandshake','organizations:createaccount','organizations:creategovcloudaccount','organizations:createorganization','organizations:createorganizationalunit','organizations:createpolicy','organizations:declinehandshake','organizations:deleteorganization','organizations:deleteorganizationalunit','organizations:deletepolicy','organizations:deregisterdelegatedadministrator','organizations:detachpolicy','organizations:disableawsserviceaccess','organizations:disablepolicytype','organizations:enableawsserviceaccess','organizations:enableallfeatures','organizations:enablepolicytype','organizations:inviteaccounttoorganization','organizations:Leaveorganization','organizations:moveaccount','organizations:registerdelegatedadministrator','organizations:removeaccountfromorganization','organizations:updateorganizationalunit','organizations:updatepolicy', '*:*') + ) + ) + ) + select + i.arn as resource, + case + when p.arn is null then 'ok' + else 'alarm' + end status, + case + when p.arn is null then title || ' has no database management write level access.' + else title || ' has database management write level access.' + end as reason + ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "i.")} + ${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "i.")} + from + aws_ec2_instance as i + left join iam_roles as r on r.intance_arn = i.arn + left join iam_role_with_permission as p on p.arn = r.role_arn; + EOQ } \ No newline at end of file From 8cffba86df3359823de8af54477a1a8c183eafa0 Mon Sep 17 00:00:00 2001 From: khushboo9024 Date: Wed, 6 Dec 2023 22:38:10 +0530 Subject: [PATCH 17/25] update --- conformance_pack/ec2.sp | 186 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 186 insertions(+) diff --git a/conformance_pack/ec2.sp b/conformance_pack/ec2.sp index 83861040..4ef02364 100644 --- a/conformance_pack/ec2.sp +++ b/conformance_pack/ec2.sp @@ -969,4 +969,190 @@ query "ec2_instance_no_org_write_access" { left join iam_roles as r on r.intance_arn = i.arn left join iam_role_with_permission as p on p.arn = r.role_arn; EOQ +} + +query "ec2_instance_no_privilege_escalation_risk_access" { + sql = <<-EOQ + with iam_roles as ( + select + r.arn as role_arn, + i.arn as intance_arn + from + aws_iam_role as r, + jsonb_array_elements_text(instance_profile_arns) as p + left join aws_ec2_instance as i on p = i.iam_instance_profile_arn + where + i.arn is not null + ), iam_role_with_permission as ( + select + arn + from + aws_iam_role, + jsonb_array_elements(assume_role_policy_std -> 'Statement') as s, + jsonb_array_elements_text(s -> 'Principal' -> 'Service') as service, + jsonb_array_elements_text(s -> 'Action') as action + where + arn in (select role_arn from iam_roles) + and s ->> 'Effect' = 'Allow' + and service = 'ec2.amazonaws.com' + and ( + (action in ('iam:createpolicy', 'iam:createpolicyversion', 'iam:SetDefaultpolicyversion', 'iam:passrole', 'iam:createaccessKey', 'iam:createloginprofile', 'iam:updateloginprofile', 'iam:attachuserpolicy', 'iam:attachgrouppolicy', 'iam:attachrolepolicy', 'iam:putuserpolicy', 'iam:putgrouppolicy', 'iam:putrolepolicy', 'iam:addusertogroup', 'iam:updateassumerolepolicy', '*:*') + ) + ) + ) + select + i.arn as resource, + case + when p.arn is null then 'ok' + else 'alarm' + end status, + case + when p.arn is null then title || ' has no privilege escalation access.' + else title || ' has privilege escalation access.' + end as reason + ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "i.")} + ${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "i.")} + from + aws_ec2_instance as i + left join iam_roles as r on r.intance_arn = i.arn + left join iam_role_with_permission as p on p.arn = r.role_arn; + EOQ +} + +query "ec2_instance_no_new_group_creation_with_attached_policy_access" { + sql = <<-EOQ + with iam_roles as ( + select + r.arn as role_arn, + i.arn as intance_arn + from + aws_iam_role as r, + jsonb_array_elements_text(instance_profile_arns) as p + left join aws_ec2_instance as i on p = i.iam_instance_profile_arn + where + i.arn is not null + ), iam_role_with_permission as ( + select + arn + from + aws_iam_role, + jsonb_array_elements(assume_role_policy_std -> 'Statement') as s, + jsonb_array_elements_text(s -> 'Principal' -> 'Service') as service, + jsonb_array_elements_text(s -> 'Action') as action + where + arn in (select role_arn from iam_roles) + and s ->> 'Effect' = 'Allow' + and service = 'ec2.amazonaws.com' + and action = 'iam:creategroup' + and action = 'iam:attachgrouppolicy' + ) + select + i.arn as resource, + case + when p.arn is null then 'ok' + else 'alarm' + end status, + case + when p.arn is null then title || ' has no new group creation with attached policy access.' + else title || ' has new group creation with attached policy access.' + end as reason + ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "i.")} + ${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "i.")} + from + aws_ec2_instance as i + left join iam_roles as r on r.intance_arn = i.arn + left join iam_role_with_permission as p on p.arn = r.role_arn; + EOQ +} + +query "ec2_instance_no_new_role_creation_with_attached_policy_access" { + sql = <<-EOQ + with iam_roles as ( + select + r.arn as role_arn, + i.arn as intance_arn + from + aws_iam_role as r, + jsonb_array_elements_text(instance_profile_arns) as p + left join aws_ec2_instance as i on p = i.iam_instance_profile_arn + where + i.arn is not null + ), iam_role_with_permission as ( + select + arn + from + aws_iam_role, + jsonb_array_elements(assume_role_policy_std -> 'Statement') as s, + jsonb_array_elements_text(s -> 'Principal' -> 'Service') as service, + jsonb_array_elements_text(s -> 'Action') as action + where + arn in (select role_arn from iam_roles) + and s ->> 'Effect' = 'Allow' + and service = 'ec2.amazonaws.com' + and action = 'iam:createrole' + and action = 'iam:attachrolepolicy' + ) + select + i.arn as resource, + case + when p.arn is null then 'ok' + else 'alarm' + end status, + case + when p.arn is null then title || ' has no new role creation with attached policy access.' + else title || ' has new role creation with attached policy access.' + end as reason + ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "i.")} + ${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "i.")} + from + aws_ec2_instance as i + left join iam_roles as r on r.intance_arn = i.arn + left join iam_role_with_permission as p on p.arn = r.role_arn; + EOQ +} + +query "ec2_instance_no_new_user_creation_with_attached_policy_access" { + sql = <<-EOQ + with iam_roles as ( + select + r.arn as role_arn, + i.arn as intance_arn + from + aws_iam_role as r, + jsonb_array_elements_text(instance_profile_arns) as p + left join aws_ec2_instance as i on p = i.iam_instance_profile_arn + where + i.arn is not null + ), iam_role_with_permission as ( + select + arn + from + aws_iam_role, + jsonb_array_elements(assume_role_policy_std -> 'Statement') as s, + jsonb_array_elements_text(s -> 'Principal' -> 'Service') as service, + jsonb_array_elements_text(s -> 'Action') as action + where + arn in (select role_arn from iam_roles) + and s ->> 'Effect' = 'Allow' + and service = 'ec2.amazonaws.com' + and action = 'iam:createuser' + and action = 'iam:attachuserpolicy' + ) + select + i.arn as resource, + case + when p.arn is null then 'ok' + else 'alarm' + end status, + case + when p.arn is null then title || ' has no new user creation with attached policy access.' + else title || ' has new user creation with attached policy access.' + end as reason + --${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "i.")} + -- ${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "i.")} + from + aws_ec2_instance as i + left join iam_roles as r on r.intance_arn = i.arn + left join iam_role_with_permission as p on p.arn = r.role_arn; + EOQ } \ No newline at end of file From fbc71090699f78d4b904e346395e9be05ba02238 Mon Sep 17 00:00:00 2001 From: khushboo9024 Date: Fri, 8 Dec 2023 11:09:08 +0530 Subject: [PATCH 18/25] update --- all_controls/ec2.sp | 16 ++ conformance_pack/ec2.sp | 510 +++++++++++++++++++++++++++++++++++++++- 2 files changed, 518 insertions(+), 8 deletions(-) diff --git a/all_controls/ec2.sp b/all_controls/ec2.sp index 122755fa..921c572c 100644 --- a/all_controls/ec2.sp +++ b/all_controls/ec2.sp @@ -29,6 +29,22 @@ benchmark "all_controls_ec2" { control.ec2_stopped_instance_30_days, control.ec2_transit_gateway_auto_cross_account_attachment_disabled, control.ec2_instance_no_management_level_access, + control.ec2_instance_no_iam_role_with_data_destruction_access, + control.ec2_instance_no_iam_with_write_level_access, + control.ec2_instance_no_iam_role_with_database_management_write_access, + control.ec2_instance_no_iam_role_with_org_write_access, + control.ec2_instance_no_iam_role_with_privilege_escalation_risk_access, + control.ec2_instance_no_iam_role_with_new_group_creation_with_attached_policy_access, + control.ec2_instance_no_iam_role_with_new_role_creation_with_attached_policy_access, + control.ec2_instance_no_iam_role_with_new_user_creation_with_attached_policy_access, + control.ec2_instance_no_iam_role_with_write_access_to_resource_based_policies, + control.ec2_instance_no_iam_role_attached_with_credentials_exposure_access, + control.ec2_instance_no_iam_role_with_alter_critical_s3_permissions_configuration, + control.ec2_instance_no_iam_role_with_destruction_kms_access, + control.ec2_instance_no_iam_role_with_destruction_rds_access, + control.ec2_instance_no_iam_role_with_cloud_log_tampering_access, + control.ec2_instance_no_iam_role_with_write_permission_on_critical_s3_configuration, + control.ec2_instance_no_iam_role_with_security_group_write_access, ] tags = merge(local.all_controls_ec2_common_tags, { diff --git a/conformance_pack/ec2.sp b/conformance_pack/ec2.sp index 4ef02364..20f4a6d0 100644 --- a/conformance_pack/ec2.sp +++ b/conformance_pack/ec2.sp @@ -292,6 +292,134 @@ control "ec2_instance_no_management_level_access" { tags = local.conformance_pack_ec2_common_tags } +control "ec2_instance_no_iam_role_with_data_destruction_access" { + title = "EC2 instance IAM role should not allow data destruction access" + description = "This control checks whether EC2 instance IAM roles should not allow data destruction access." + query = query.ec2_instance_no_iam_role_with_data_destruction_access + + tags = local.conformance_pack_ec2_common_tags +} + +control "ec2_instance_no_iam_with_write_level_access" { + title = "EC2 instance IAM role should not allow write level access" + description = "This control checks whether EC2 instance IAM roles should not allow write level access." + query = query.ec2_instance_no_iam_with_write_level_access + + tags = local.conformance_pack_ec2_common_tags +} + +control "ec2_instance_no_iam_role_with_database_management_write_access" { + title = "EC2 instance IAM role should not allow database management write access" + description = "This control checks whether EC2 instance IAM roles should not allow database management write access." + query = query.ec2_instance_no_iam_role_with_database_management_write_access + + tags = local.conformance_pack_ec2_common_tags +} + +control "ec2_instance_no_iam_role_with_org_write_access" { + title = "EC2 instance IAM role should not allow oraganization write access" + description = "This control checks whether EC2 instance IAM roles should not allow oraganization write access." + query = query.ec2_instance_no_iam_role_with_org_write_access + + tags = local.conformance_pack_ec2_common_tags +} + +control "ec2_instance_no_iam_role_with_privilege_escalation_risk_access" { + title = "EC2 instance IAM role should not allow privilege escalation risk access" + description = "This control checks whether EC2 instance IAM roles should not allow privilege escalation risk access." + query = query.ec2_instance_no_iam_role_with_privilege_escalation_risk_access + + tags = local.conformance_pack_ec2_common_tags +} + +control "ec2_instance_no_iam_role_with_new_group_creation_with_attached_policy_access" { + title = "EC2 instance IAM role should not allow new group creation with attached policy access" + description = "This control checks whether EC2 instance IAM roles should not allow new group creation with attached policy access." + query = query.ec2_instance_no_iam_role_with_new_group_creation_with_attached_policy_access + + tags = local.conformance_pack_ec2_common_tags +} + +control "ec2_instance_no_iam_role_with_new_role_creation_with_attached_policy_access" { + title = "EC2 instance IAM role should not allow new role creation with attached policy access" + description = "This control checks whether EC2 instance IAM roles should not allow new role creation with attached policy access." + query = query.ec2_instance_no_iam_role_with_new_role_creation_with_attached_policy_access + + tags = local.conformance_pack_ec2_common_tags +} + +control "ec2_instance_no_iam_role_with_new_user_creation_with_attached_policy_access" { + title = "EC2 instance IAM role should not allow new user creation with attached policy access" + description = "This control checks whether EC2 instance IAM roles should not allow new user creation with attached policy access." + query = query.ec2_instance_no_iam_role_with_new_user_creation_with_attached_policy_access + + tags = local.conformance_pack_ec2_common_tags +} + +control "ec2_instance_no_iam_role_with_write_access_to_resource_based_policies" { + title = "EC2 instance IAM role should not allow write access to resource based policies" + description = "This control checks whether EC2 instance IAM roles should not allow write access to resource based policies." + query = query.ec2_instance_no_iam_role_with_write_access_to_resource_based_policies + + tags = local.conformance_pack_ec2_common_tags +} + +control "ec2_instance_no_iam_role_attached_with_credentials_exposure_access" { + title = "EC2 instance IAM role should not be attached with credentials exposure access" + description = "This control checks whether EC2 instance IAM roles should not be attached with credentials exposure access." + query = query.ec2_instance_no_iam_role_attached_with_credentials_exposure_access + + tags = local.conformance_pack_ec2_common_tags +} + +control "ec2_instance_no_iam_role_with_alter_critical_s3_permissions_configuration" { + title = "EC2 instance IAM role should not allow to alter critical s3 permissions configuration" + description = "This control checks whether EC2 instance IAM roles should not allow to alter critical s3 permissions configuration." + query = query.ec2_instance_no_iam_role_with_alter_critical_s3_permissions_configuration + + tags = local.conformance_pack_ec2_common_tags +} + +control "ec2_instance_no_iam_role_with_destruction_kms_access" { + title = "EC2 instance IAM role should not allow destruction KMS access" + description = "This control checks whether EC2 instance IAM roles should not allow destruction KMS access." + query = query.ec2_instance_no_iam_role_with_destruction_kms_access + + tags = local.conformance_pack_ec2_common_tags +} + +control "ec2_instance_no_iam_role_with_destruction_rds_access" { + title = "EC2 instance IAM role should not allow destruction RDS access" + description = "This control checks whether EC2 instance IAM roles should not allow destruction RDS access." + query = query.ec2_instance_no_iam_role_with_destruction_rds_access + + tags = local.conformance_pack_ec2_common_tags +} + +control "ec2_instance_no_iam_role_with_cloud_log_tampering_access" { + title = "EC2 instance IAM role should not allow cloud log tampering access" + description = "This control checks whether EC2 instance IAM roles should not allow cloud log tampering access." + query = query.ec2_instance_no_iam_role_with_cloud_log_tampering_access + + tags = local.conformance_pack_ec2_common_tags +} + +control "ec2_instance_no_iam_role_with_write_permission_on_critical_s3_configuration" { + title = "EC2 instance IAM role should not allow write permission on critical s3 configuration" + description = "This control checks whether EC2 instance IAM roles should not allow write permission on critical s3 configuration." + query = query.ec2_instance_no_iam_role_with_write_permission_on_critical_s3_configuration + + tags = local.conformance_pack_ec2_common_tags +} + +control "ec2_instance_no_iam_role_with_security_group_write_access" { + title = "EC2 instance IAM role should not allow security group write access" + description = "This control checks whether EC2 instance IAM roles should not allow security group write access." + query = query.ec2_instance_no_iam_role_with_security_group_write_access + + tags = local.conformance_pack_ec2_common_tags +} + query "ec2_ebs_default_encryption_enabled" { sql = <<-EOQ select @@ -779,7 +907,7 @@ query "ec2_instance_no_management_level_access" { EOQ } -query "ec2_instance_no_data_destruction_access" { +query "ec2_instance_no_iam_role_with_data_destruction_access" { sql = <<-EOQ with iam_roles as ( select @@ -827,7 +955,7 @@ query "ec2_instance_no_data_destruction_access" { EOQ } -query "ec2_instance_no_iam_write_level_access" { +query "ec2_instance_no_iam_with_write_level_access" { sql = <<-EOQ with iam_roles as ( select @@ -875,7 +1003,7 @@ query "ec2_instance_no_iam_write_level_access" { EOQ } -query "ec2_instance_no_database_management_write_access" { +query "ec2_instance_no_iam_role_with_database_management_write_access" { sql = <<-EOQ with iam_roles as ( select @@ -923,7 +1051,7 @@ query "ec2_instance_no_database_management_write_access" { EOQ } -query "ec2_instance_no_org_write_access" { +query "ec2_instance_no_iam_role_with_org_write_access" { sql = <<-EOQ with iam_roles as ( select @@ -971,7 +1099,7 @@ query "ec2_instance_no_org_write_access" { EOQ } -query "ec2_instance_no_privilege_escalation_risk_access" { +query "ec2_instance_no_iam_role_with_privilege_escalation_risk_access" { sql = <<-EOQ with iam_roles as ( select @@ -1019,7 +1147,7 @@ query "ec2_instance_no_privilege_escalation_risk_access" { EOQ } -query "ec2_instance_no_new_group_creation_with_attached_policy_access" { +query "ec2_instance_no_iam_role_with_new_group_creation_with_attached_policy_access" { sql = <<-EOQ with iam_roles as ( select @@ -1065,7 +1193,7 @@ query "ec2_instance_no_new_group_creation_with_attached_policy_access" { EOQ } -query "ec2_instance_no_new_role_creation_with_attached_policy_access" { +query "ec2_instance_no_iam_role_with_new_role_creation_with_attached_policy_access" { sql = <<-EOQ with iam_roles as ( select @@ -1111,7 +1239,7 @@ query "ec2_instance_no_new_role_creation_with_attached_policy_access" { EOQ } -query "ec2_instance_no_new_user_creation_with_attached_policy_access" { +query "ec2_instance_no_iam_role_with_new_user_creation_with_attached_policy_access" { sql = <<-EOQ with iam_roles as ( select @@ -1155,4 +1283,370 @@ query "ec2_instance_no_new_user_creation_with_attached_policy_access" { left join iam_roles as r on r.intance_arn = i.arn left join iam_role_with_permission as p on p.arn = r.role_arn; EOQ +} + +query "ec2_instance_no_iam_role_with_write_access_to_resource_based_policies" { + sql = <<-EOQ + with iam_roles as ( + select + r.arn as role_arn, + i.arn as intance_arn + from + aws_iam_role as r, + jsonb_array_elements_text(instance_profile_arns) as p + left join aws_ec2_instance as i on p = i.iam_instance_profile_arn + where + i.arn is not null + ), iam_role_with_permission as ( + select + arn + from + aws_iam_role, + jsonb_array_elements(assume_role_policy_std -> 'Statement') as s, + jsonb_array_elements_text(s -> 'Principal' -> 'Service') as service, + jsonb_array_elements_text(s -> 'Action') as action + where + arn in (select role_arn from iam_roles) + and s ->> 'Effect' = 'Allow' + and service = 'ec2.amazonaws.com' + and action in ( + 'ecr:setrepositorypolicy','serverlessrepo:putapplicationpolicy','backup:putbackupvaultaccesspolicy','efs:putfilesystempolicy','glacier:setvaultaccesspolicy','secretsmanager:putresourcepolicy','events:putpermission','mediastore:putcontainerpolicy','glue:putresourcepolicy','ses:putidentitypolicy','lambda:addpermission','lambda:addlayerversionpermission','s3:putbucketpolicy','s3:putbucketacl','s3:putObject','s3:putobjectacl','kms:creategrant','kms:putkeypolicy','es:Updateelasticsearchdomainconfig','sns:addpermission','sqs:addpermission', '*:*' + ) + ) + select + i.arn as resource, + case + when p.arn is null then 'ok' + else 'alarm' + end status, + case + when p.arn is null then title || ' has no write access permission to resource based policiess.' + else title || ' has write access permission to resource based policiess.' + end as reason + ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "i.")} + ${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "i.")} + from + aws_ec2_instance as i + left join iam_roles as r on r.intance_arn = i.arn + left join iam_role_with_permission as p on p.arn = r.role_arn; + EOQ +} + +query "ec2_instance_no_iam_role_attached_with_credentials_exposure_access" { + sql = <<-EOQ + with iam_roles as ( + select + r.arn as role_arn, + i.arn as intance_arn + from + aws_iam_role as r, + jsonb_array_elements_text(instance_profile_arns) as p + left join aws_ec2_instance as i on p = i.iam_instance_profile_arn + where + i.arn is not null + ), iam_role_with_permission as ( + select + arn + from + aws_iam_role, + jsonb_array_elements(assume_role_policy_std -> 'Statement') as s, + jsonb_array_elements_text(s -> 'Principal' -> 'Service') as service, + jsonb_array_elements_text(s -> 'Action') as action + where + arn in (select role_arn from iam_roles) + and s ->> 'Effect' = 'Allow' + and service = 'ec2.amazonaws.com' + and action in ( + 'chime:createapikey', 'codepipeline:pollforjobs', 'cognito-identity:getopenidtoken', 'cognito-identity:getopenidtokenfordeveloperidentity', 'cognito-identity:getcredentialsforidentity', 'connect:getfederationtoken', 'connect:getfederationtokens', 'ec2:getpassworddata', 'ecr:getauthorizationtoken', 'gamelift:requestuploadcredentials', 'iam:createaccesskey', 'iam:createloginprofile', 'iam:createservicespecificcredential', 'iam:resetservicespecificcredential', 'iam:updateaccesskey', 'lightsail:getinstanceaccessdetails', 'lightsail:getrelationaldatabasemasteruserpassword', 'rds-db:connect', 'redshift:getclustercredentials', 'sso:getrolecredentials', 'mediapackage:rotatechannelcredentials', 'mediapackage:rotateingestendpointcredentials', 'sts:assumerole', 'sts:assumerolewithsaml', 'sts:assumerolewithwebidentity', 'sts:getfederationtoken', 'sts:getsessiontoken', '*:*' + ) + ) + select + i.arn as resource, + case + when p.arn is null then 'ok' + else 'alarm' + end status, + case + when p.arn is null then title || ' has no IAM role attached with credentials exposure permissions.' + else title || ' has IAM role attached with credentials exposure permissions.' + end as reason + --${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "i.")} + -- ${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "i.")} + from + aws_ec2_instance as i + left join iam_roles as r on r.intance_arn = i.arn + left join iam_role_with_permission as p on p.arn = r.role_arn; + EOQ +} + +query "ec2_instance_no_iam_role_with_alter_critical_s3_permissions_configuration" { + sql = <<-EOQ + with iam_roles as ( + select + r.arn as role_arn, + i.arn as intance_arn + from + aws_iam_role as r, + jsonb_array_elements_text(instance_profile_arns) as p + left join aws_ec2_instance as i on p = i.iam_instance_profile_arn + where + i.arn is not null + ), iam_role_with_permission as ( + select + arn + from + aws_iam_role, + jsonb_array_elements(assume_role_policy_std -> 'Statement') as s, + jsonb_array_elements_text(s -> 'Principal' -> 'Service') as service, + jsonb_array_elements_text(s -> 'Action') as action + where + arn in (select role_arn from iam_roles) + and s ->> 'Effect' = 'Allow' + and service = 'ec2.amazonaws.com' + and action in ( + 's3:putobjectretention','s3:putlifecycleconfiguration','s3:putbucketpolicy','s3:putbucketversioning', '*:*' + ) + ) + select + i.arn as resource, + case + when p.arn is null then 'ok' + else 'alarm' + end status, + case + when p.arn is null then title || ' has no IAM role with alter critical s3 permissions configuration.' + else title || ' has IAM role with alter critical s3 permissions configuration.' + end as reason + --${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "i.")} + -- ${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "i.")} + from + aws_ec2_instance as i + left join iam_roles as r on r.intance_arn = i.arn + left join iam_role_with_permission as p on p.arn = r.role_arn; + EOQ +} + +query "ec2_instance_no_iam_role_with_destruction_kms_access" { + sql = <<-EOQ + with iam_roles as ( + select + r.arn as role_arn, + i.arn as intance_arn + from + aws_iam_role as r, + jsonb_array_elements_text(instance_profile_arns) as p + left join aws_ec2_instance as i on p = i.iam_instance_profile_arn + where + i.arn is not null + ), iam_role_with_permission as ( + select + arn + from + aws_iam_role, + jsonb_array_elements(assume_role_policy_std -> 'Statement') as s, + jsonb_array_elements_text(s -> 'Principal' -> 'Service') as service, + jsonb_array_elements_text(s -> 'Action') as action + where + arn in (select role_arn from iam_roles) + and s ->> 'Effect' = 'Allow' + and service = 'ec2.amazonaws.com' + and action in ('secretsmanager:getsecretvalue', 'kms:decrypt', '*:*') + ) + select + i.arn as resource, + case + when p.arn is null then 'ok' + else 'alarm' + end status, + case + when p.arn is null then title || ' has no IAM role with destruction KMS permission' + else title || ' has IAM role with destruction KMS permission' + end as reason + ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "i.")} + ${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "i.")} + from + aws_ec2_instance as i + left join iam_roles as r on r.intance_arn = i.arn + left join iam_role_with_permission as p on p.arn = r.role_arn; + EOQ +} + +query "ec2_instance_no_iam_role_with_destruction_rds_access" { + sql = <<-EOQ + with iam_roles as ( + select + r.arn as role_arn, + i.arn as intance_arn + from + aws_iam_role as r, + jsonb_array_elements_text(instance_profile_arns) as p + left join aws_ec2_instance as i on p = i.iam_instance_profile_arn + where + i.arn is not null + ), iam_role_with_permission as ( + select + arn + from + aws_iam_role, + jsonb_array_elements(assume_role_policy_std -> 'Statement') as s, + jsonb_array_elements_text(s -> 'Principal' -> 'Service') as service, + jsonb_array_elements_text(s -> 'Action') as action + where + arn in (select role_arn from iam_roles) + and s ->> 'Effect' = 'Allow' + and service = 'ec2.amazonaws.com' + and action in ( 'srds-data:ExecuteStatement', 'rds-data:BatchExecuteStatement', '*:*') + ) + select + i.arn as resource, + case + when p.arn is null then 'ok' + else 'alarm' + end status, + case + when p.arn is null then title || ' has no IAM role with destruction RDS permission' + else title || ' has IAM role with destruction RDS permission' + end as reason + ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "i.")} + ${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "i.")} + from + aws_ec2_instance as i + left join iam_roles as r on r.intance_arn = i.arn + left join iam_role_with_permission as p on p.arn = r.role_arn; + EOQ +} + +query "ec2_instance_no_iam_role_with_cloud_log_tampering_access" { + sql = <<-EOQ + with iam_roles as ( + select + r.arn as role_arn, + i.arn as intance_arn + from + aws_iam_role as r, + jsonb_array_elements_text(instance_profile_arns) as p + left join aws_ec2_instance as i on p = i.iam_instance_profile_arn + where + i.arn is not null + ), iam_role_with_permission as ( + select + arn + from + aws_iam_role, + jsonb_array_elements(assume_role_policy_std -> 'Statement') as s, + jsonb_array_elements_text(s -> 'Principal' -> 'Service') as service, + jsonb_array_elements_text(s -> 'Action') as action + where + arn in (select role_arn from iam_roles) + and s ->> 'Effect' = 'Allow' + and service = 'ec2.amazonaws.com' + and action in ( 'cloudtrail:deletetrail','cloudtrail:puteventselectors','cloudtrail:stoplogging','ec2:deleteflowlogs','s3:putbucketlogging','logs:deletelogstream','logs:deleteloggroup','waf:deleteloggingconfiguration','waf:putloggingconfiguration', '*:*') + ) + select + i.arn as resource, + case + when p.arn is null then 'ok' + else 'alarm' + end status, + case + when p.arn is null then title || ' has no IAM role with cloud log tampering access.' + else title || ' has IAM role with cloud log tampering access.' + end as reason + ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "i.")} + ${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "i.")} + from + aws_ec2_instance as i + left join iam_roles as r on r.intance_arn = i.arn + left join iam_role_with_permission as p on p.arn = r.role_arn; + EOQ +} + +query "ec2_instance_no_iam_role_with_write_permission_on_critical_s3_configuration" { + sql = <<-EOQ + with iam_roles as ( + select + r.arn as role_arn, + i.arn as intance_arn + from + aws_iam_role as r, + jsonb_array_elements_text(instance_profile_arns) as p + left join aws_ec2_instance as i on p = i.iam_instance_profile_arn + where + i.arn is not null + ), iam_role_with_permission as ( + select + arn + from + aws_iam_role, + jsonb_array_elements(assume_role_policy_std -> 'Statement') as s, + jsonb_array_elements_text(s -> 'Principal' -> 'Service') as service, + jsonb_array_elements_text(s -> 'Action') as action + where + arn in (select role_arn from iam_roles) + and s ->> 'Effect' = 'Allow' + and service = 'ec2.amazonaws.com' + and action in ( 's3:putobjectretention','s3:putlifecycleconfiguration','s3:putbucketpolicy','s3:putbucketversioning', '*:*') + ) + select + i.arn as resource, + case + when p.arn is null then 'ok' + else 'alarm' + end status, + case + when p.arn is null then title || ' has no IAM role with write permission on critical s3 configuration.' + else title || ' has IAM role with write permission on critical s3 configuration.' + end as reason + ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "i.")} + ${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "i.")} + from + aws_ec2_instance as i + left join iam_roles as r on r.intance_arn = i.arn + left join iam_role_with_permission as p on p.arn = r.role_arn; + EOQ +} + +query "ec2_instance_no_iam_role_with_security_group_write_access" { + sql = <<-EOQ + with iam_roles as ( + select + r.arn as role_arn, + i.arn as intance_arn + from + aws_iam_role as r, + jsonb_array_elements_text(instance_profile_arns) as p + left join aws_ec2_instance as i on p = i.iam_instance_profile_arn + where + i.arn is not null + ), iam_role_with_permission as ( + select + arn + from + aws_iam_role, + jsonb_array_elements(assume_role_policy_std -> 'Statement') as s, + jsonb_array_elements_text(s -> 'Principal' -> 'Service') as service, + jsonb_array_elements_text(s -> 'Action') as action + where + arn in (select role_arn from iam_roles) + and s ->> 'Effect' = 'Allow' + and service = 'ec2.amazonaws.com' + and action in ( 'rds:createdbsecuritygroup','rds:deletedbsecuritygroup','rds:revokedbsecuritygroupingress','ec2:authorizesecuritygroupegress','ec2:authorizesecuritygroupingress','ec2:createsecuritygroup','ec2:deletesecuritygroup','ec2:modifysecuritygrouprules','ec2:revokesecuritygroupegress','ec2:revokesecuritygroupingress','elasticloadbalancing:applysecuritygroupsToLoadbalancer','elasticloadbalancing:setsecuritygroups','redshift:authorizeclustersecuritygroupingress','redshift:createclustersecuritygroup','redshift:deleteclustersecuritygroup', '*:*') + ) + select + i.arn as resource, + case + when p.arn is null then 'ok' + else 'alarm' + end status, + case + when p.arn is null then title || ' has no IAM role with security group write access.' + else title || ' has IAM role with security group write access.' + end as reason + ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "i.")} + ${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "i.")} + from + aws_ec2_instance as i + left join iam_roles as r on r.intance_arn = i.arn + left join iam_role_with_permission as p on p.arn = r.role_arn; + EOQ } \ No newline at end of file From 258f6e7019e714594e04dc6ba67704fa436f19a6 Mon Sep 17 00:00:00 2001 From: khushboo9024 Date: Fri, 8 Dec 2023 17:12:09 +0530 Subject: [PATCH 19/25] update --- all_controls/ec2.sp | 2 + all_controls/rds.sp | 1 + conformance_pack/ec2.sp | 106 ++++++++++++++++++++++++++++++++++++++++ conformance_pack/rds.sp | 29 +++++++++++ 4 files changed, 138 insertions(+) diff --git a/all_controls/ec2.sp b/all_controls/ec2.sp index 921c572c..86c4bb77 100644 --- a/all_controls/ec2.sp +++ b/all_controls/ec2.sp @@ -45,6 +45,8 @@ benchmark "all_controls_ec2" { control.ec2_instance_no_iam_role_with_cloud_log_tampering_access, control.ec2_instance_no_iam_role_with_write_permission_on_critical_s3_configuration, control.ec2_instance_no_iam_role_with_security_group_write_access, + control.ec2_instance_no_iam_role_with_defense_evasion_impact_of_aws_security_services_access, + control.ec2_instance_no_iam_role_with_elastic_ip_hijacking_access, ] tags = merge(local.all_controls_ec2_common_tags, { diff --git a/all_controls/rds.sp b/all_controls/rds.sp index 0dcd266a..8aec1701 100644 --- a/all_controls/rds.sp +++ b/all_controls/rds.sp @@ -44,6 +44,7 @@ benchmark "all_controls_rds" { control.rds_db_cluster_encrypted_with_cmk, control.rds_db_instance_backup_retention_period_less_than_7, control.rds_db_instance_no_public_subnet, + control.rds_db_instance_postgres_not_exposed_to_local_file_read_vulnerability, ] tags = merge(local.all_controls_rds_common_tags, { diff --git a/conformance_pack/ec2.sp b/conformance_pack/ec2.sp index 20f4a6d0..48a1be55 100644 --- a/conformance_pack/ec2.sp +++ b/conformance_pack/ec2.sp @@ -420,6 +420,22 @@ control "ec2_instance_no_iam_role_with_security_group_write_access" { tags = local.conformance_pack_ec2_common_tags } +control "ec2_instance_no_iam_role_with_defense_evasion_impact_of_aws_security_services_access" { + title = "EC2 instance IAM role should not allow defense evasion impact of AWS security services access" + description = "This control checks whether EC2 instance IAM role should not allow defense evasion impact of AWS security services access." + query = query.ec2_instance_no_iam_role_with_defense_evasion_impact_of_aws_security_services_access + + tags = local.conformance_pack_ec2_common_tags +} + +control "ec2_instance_no_iam_role_with_elastic_ip_hijacking_access" { + title = "EC2 instance IAM role should not allow elastic IP hijacking access." + description = "This control checks whether EC2 instance IAM role should not allow elastic IP hijacking access." + query = query.ec2_instance_no_iam_role_with_elastic_ip_hijacking_access + + tags = local.conformance_pack_ec2_common_tags +} + query "ec2_ebs_default_encryption_enabled" { sql = <<-EOQ select @@ -1649,4 +1665,94 @@ query "ec2_instance_no_iam_role_with_security_group_write_access" { left join iam_roles as r on r.intance_arn = i.arn left join iam_role_with_permission as p on p.arn = r.role_arn; EOQ +} + +query "ec2_instance_no_iam_role_with_defense_evasion_impact_of_aws_security_services_access" { + sql = <<-EOQ + with iam_roles as ( + select + r.arn as role_arn, + i.arn as intance_arn + from + aws_iam_role as r, + jsonb_array_elements_text(instance_profile_arns) as p + left join aws_ec2_instance as i on p = i.iam_instance_profile_arn + where + i.arn is not null + ), iam_role_with_permission as ( + select + arn + from + aws_iam_role, + jsonb_array_elements(assume_role_policy_std -> 'Statement') as s, + jsonb_array_elements_text(s -> 'Principal' -> 'Service') as service, + jsonb_array_elements_text(s -> 'Action') as action + where + arn in (select role_arn from iam_roles) + and s ->> 'Effect' = 'Allow' + and service = 'ec2.amazonaws.com' + and action in ( 'guardduty:updatedetector','guardduty:deletedetector','guardduty:deletemembers','guardduty:updatefilter','guardduty:deletefilter','shield:disableapplicationlayerautomaticresponse','shield:updateprotectiongroup','shield:deletesubscription','detective:disassociatemembership','detective:deletemembers','inspector:disable','config:stopconfigurationrecorder','config:deleteconfigurationrecorder','config:deleteconfigrule','config:deleteorganizationconfigrule','cloudwatch:disablealarmactions','cloudwatch:disableinsightrules', '*:*') + ) + select + i.arn as resource, + case + when p.arn is null then 'ok' + else 'alarm' + end status, + case + when p.arn is null then title || ' has no IAM role With defense evasion impact of AWS security services access.' + else title || ' has IAM role With defense evasion impact of AWS security services access.' + end as reason + ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "i.")} + ${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "i.")} + from + aws_ec2_instance as i + left join iam_roles as r on r.intance_arn = i.arn + left join iam_role_with_permission as p on p.arn = r.role_arn; + EOQ +} + +query "ec2_instance_no_iam_role_with_elastic_ip_hijacking_access" { + sql = <<-EOQ + with iam_roles as ( + select + r.arn as role_arn, + i.arn as intance_arn + from + aws_iam_role as r, + jsonb_array_elements_text(instance_profile_arns) as p + left join aws_ec2_instance as i on p = i.iam_instance_profile_arn + where + i.arn is not null + ), iam_role_with_permission as ( + select + arn + from + aws_iam_role, + jsonb_array_elements(assume_role_policy_std -> 'Statement') as s, + jsonb_array_elements_text(s -> 'Principal' -> 'Service') as service, + jsonb_array_elements_text(s -> 'Action') as action + where + arn in (select role_arn from iam_roles) + and s ->> 'Effect' = 'Allow' + and service = 'ec2.amazonaws.com' + and action in ( 'ec2:DisassociateAddress', 'ec2:EnableAddressTransfer' '*:*') + ) + select + i.arn as resource, + case + when p.arn is null then 'ok' + else 'alarm' + end status, + case + when p.arn is null then title || ' has no IAM role with elastic IP hijacking access.' + else title || ' has IAM role with elastic IP hijacking access.' + end as reason + ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "i.")} + ${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "i.")} + from + aws_ec2_instance as i + left join iam_roles as r on r.intance_arn = i.arn + left join iam_role_with_permission as p on p.arn = r.role_arn; + EOQ } \ No newline at end of file diff --git a/conformance_pack/rds.sp b/conformance_pack/rds.sp index a334fa40..c2ff5ccc 100644 --- a/conformance_pack/rds.sp +++ b/conformance_pack/rds.sp @@ -498,6 +498,14 @@ control "rds_db_instance_no_public_subnet" { tags = local.conformance_pack_rds_common_tags } +control "rds_db_instance_postgres_not_exposed_to_local_file_read_vulnerability" { + title = "RDS PostgreSQL DB instances should not be exposed to local file read vulnerability" + description = "This control checks whether AWS PostgreSQL DB isntance are exposed to local file read vulnerability by ensuring that AWS RDS PostgreSQL instances use a non-vulnerable version of the log_fdw." + query = query.rds_db_instance_postgres_not_exposed_to_local_file_read_vulnerability + + tags = local.conformance_pack_rds_common_tags +} + query "rds_db_instance_backup_enabled" { sql = <<-EOQ select @@ -1452,4 +1460,25 @@ query "rds_db_instance_no_public_subnet" { aws_rds_db_instance as c left join cluster_public_subnet as s on s.subnet_group_name = c.db_subnet_group_name; EOQ +} + +query "rds_db_instance_postgres_not_exposed_to_local_file_read_vulnerability" { + sql = <<-EOQ + select + arn as resource, + case + when not engine = 'postgres' then 'skip' + when engine = 'postgres' and engine_version like any (array ['10.11', '10.12', '10.13', '11.6', '11.7', '11.8']) then 'alarm' + else 'ok' + end as status, + case + when not engine = 'postgres' then title || ' not PostgreSQL edition.' + when engine = 'postgres' and engine_version like any (array ['13.2','13.1','12.6','12.5','12.4','12.3','12.2','11.11','11.10','11.9','11.8','11.7','11.6','11.5','11.4','11.3','11.2','11.1','10.16','10.15','10.14','10.13','10.12','10.11','10.10','10.9','10.7','10.6','10.5','10.4','10.3','10.1','9.6.21','9.6.20','9.6.19','9.6.18','9.6.17','9.6.16','9.6.15','9.6.14','9.6.12','9.6.11','9.6.10','9.6.9','9.6.8','9.6.6','9.6.5','9.6.3','9.6.2','9.6.1','9.5','9.4','9.3']) then title || ' exposed to local file read vulnerability.' + else title || ' not exposed to local file read vulnerability.' + end as reason + ${local.tag_dimensions_sql} + ${local.common_dimensions_sql} + from + aws_rds_db_instance; + EOQ } \ No newline at end of file From cd5b477529bdcc9126c9221819f82aeb8138b3a1 Mon Sep 17 00:00:00 2001 From: khushboo9024 Date: Fri, 8 Dec 2023 20:05:04 +0530 Subject: [PATCH 20/25] update --- all_controls/ec2.sp | 1 + conformance_pack/ec2.sp | 55 ++++++++++++++++++++++++++++++++++++++++- 2 files changed, 55 insertions(+), 1 deletion(-) diff --git a/all_controls/ec2.sp b/all_controls/ec2.sp index 86c4bb77..fb604058 100644 --- a/all_controls/ec2.sp +++ b/all_controls/ec2.sp @@ -47,6 +47,7 @@ benchmark "all_controls_ec2" { control.ec2_instance_no_iam_role_with_security_group_write_access, control.ec2_instance_no_iam_role_with_defense_evasion_impact_of_aws_security_services_access, control.ec2_instance_no_iam_role_with_elastic_ip_hijacking_access, + control.ec2_instance_no_iam_passrole_and_lambda_invoke_function_access, ] tags = merge(local.all_controls_ec2_common_tags, { diff --git a/conformance_pack/ec2.sp b/conformance_pack/ec2.sp index 48a1be55..7f255375 100644 --- a/conformance_pack/ec2.sp +++ b/conformance_pack/ec2.sp @@ -436,6 +436,14 @@ control "ec2_instance_no_iam_role_with_elastic_ip_hijacking_access" { tags = local.conformance_pack_ec2_common_tags } +control "ec2_instance_no_iam_passrole_and_lambda_invoke_function_access" { + title = "EC2 instance IAM should not allow pass role and lambda invoke function access." + description = "This control checks whether EC2 instance IAM role should not allow pass role and lambda invoke function access." + query = query.ec2_instance_no_iam_passrole_and_lambda_invoke_function_access + + tags = local.conformance_pack_ec2_common_tags +} + query "ec2_ebs_default_encryption_enabled" { sql = <<-EOQ select @@ -1736,7 +1744,7 @@ query "ec2_instance_no_iam_role_with_elastic_ip_hijacking_access" { arn in (select role_arn from iam_roles) and s ->> 'Effect' = 'Allow' and service = 'ec2.amazonaws.com' - and action in ( 'ec2:DisassociateAddress', 'ec2:EnableAddressTransfer' '*:*') + and action in ( 'ec2:DisassociateAddress', 'ec2:EnableAddressTransfer', '*:*') ) select i.arn as resource, @@ -1755,4 +1763,49 @@ query "ec2_instance_no_iam_role_with_elastic_ip_hijacking_access" { left join iam_roles as r on r.intance_arn = i.arn left join iam_role_with_permission as p on p.arn = r.role_arn; EOQ +} + +query "ec2_instance_no_iam_passrole_and_lambda_invoke_function_access" { + sql = <<-EOQ + with iam_roles as ( + select + r.arn as role_arn, + i.arn as intance_arn + from + aws_iam_role as r, + jsonb_array_elements_text(instance_profile_arns) as p + left join aws_ec2_instance as i on p = i.iam_instance_profile_arn + where + i.arn is not null + ), iam_role_with_permission as ( + select + arn + from + aws_iam_role, + jsonb_array_elements(assume_role_policy_std -> 'Statement') as s, + jsonb_array_elements_text(s -> 'Principal' -> 'Service') as service, + jsonb_array_elements_text(s -> 'Action') as action + where + arn in (select role_arn from iam_roles) + and s ->> 'Effect' = 'Allow' + and service = 'ec2.amazonaws.com' + and action in ( 'iam:passrole','lambda:createfunction', 'lambda:invokefunction' ,'*:*') + ) + select + i.arn as resource, + case + when p.arn is null then 'ok' + else 'alarm' + end status, + case + when p.arn is null then title || ' has no IAM pass role and lambda invoke function access.' + else title || ' has IAM IAM pass role and lambda invoke function access.' + end as reason + ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "i.")} + ${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "i.")} + from + aws_ec2_instance as i + left join iam_roles as r on r.intance_arn = i.arn + left join iam_role_with_permission as p on p.arn = r.role_arn; + EOQ } \ No newline at end of file From f3428fce0d906a8c60a7603b8913de762ae15aed Mon Sep 17 00:00:00 2001 From: khushboosharma Date: Thu, 14 Dec 2023 14:09:36 +0530 Subject: [PATCH 21/25] sort controls --- all_controls/acm.sp | 6 +++--- all_controls/cloudfront.sp | 4 ++-- all_controls/cloudtrail.sp | 6 +++--- all_controls/docdb.sp | 4 ++-- all_controls/ec2.sp | 42 ++++++++++++++++++------------------- all_controls/ecs.sp | 4 ++-- all_controls/eks.sp | 4 ++-- all_controls/elasticache.sp | 4 ++-- all_controls/elb.sp | 6 +++--- all_controls/emr.sp | 2 +- all_controls/kinesis.sp | 4 ++-- all_controls/rds.sp | 12 +++++------ all_controls/redshift.sp | 4 ++-- all_controls/s3.sp | 6 +++--- all_controls/sns.sp | 4 ++-- all_controls/sqs.sp | 2 +- all_controls/ssm.sp | 2 +- all_controls/vpc.sp | 8 +++---- 18 files changed, 62 insertions(+), 62 deletions(-) diff --git a/all_controls/acm.sp b/all_controls/acm.sp index 4b7d5ebc..b46c377b 100644 --- a/all_controls/acm.sp +++ b/all_controls/acm.sp @@ -9,11 +9,11 @@ benchmark "all_controls_acm" { description = "This section contains recommendations for configuring ACM resources." children = [ control.acm_certificate_expires_30_days, - control.acm_certificate_no_wildcard_domain_name, - control.acm_certificate_transparency_logging_enabled, - control.acm_certificate_not_expired, control.acm_certificate_no_failed_certificate, control.acm_certificate_no_pending_validation_certificate, + control.acm_certificate_no_wildcard_domain_name, + control.acm_certificate_not_expired, + control.acm_certificate_transparency_logging_enabled ] tags = merge(local.all_controls_acm_common_tags, { diff --git a/all_controls/cloudfront.sp b/all_controls/cloudfront.sp index fce81b6b..2abb99c7 100644 --- a/all_controls/cloudfront.sp +++ b/all_controls/cloudfront.sp @@ -19,11 +19,11 @@ benchmark "all_controls_cloudfront" { control.cloudfront_distribution_no_non_existent_s3_origin, control.cloudfront_distribution_non_s3_origins_encryption_in_transit_enabled, control.cloudfront_distribution_origin_access_identity_enabled, + control.cloudfront_distribution_protocol_version_latest, control.cloudfront_distribution_sni_enabled, control.cloudfront_distribution_use_custom_ssl_certificate, control.cloudfront_distribution_use_secure_cipher, - control.cloudfront_distribution_waf_enabled, - control.cloudfront_distribution_protocol_version_latest, + control.cloudfront_distribution_waf_enabled ] tags = merge(local.all_controls_cloudfront_common_tags, { diff --git a/all_controls/cloudtrail.sp b/all_controls/cloudtrail.sp index f405b897..85fa1e2f 100644 --- a/all_controls/cloudtrail.sp +++ b/all_controls/cloudtrail.sp @@ -11,19 +11,19 @@ benchmark "all_controls_cloudtrail" { control.cloudtrail_bucket_not_public, control.cloudtrail_multi_region_read_write_enabled, control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_multi_region_trail_integrated_with_logs, control.cloudtrail_s3_data_events_enabled, control.cloudtrail_s3_logging_enabled, control.cloudtrail_s3_object_read_events_audit_enabled, control.cloudtrail_s3_object_write_events_audit_enabled, control.cloudtrail_security_trail_enabled, control.cloudtrail_trail_bucket_mfa_enabled, + control.cloudtrail_trail_enabled_account, control.cloudtrail_trail_enabled, control.cloudtrail_trail_insight_selectors_and_logging_enabled, control.cloudtrail_trail_integrated_with_logs, control.cloudtrail_trail_logs_encrypted_with_kms_cmk, - control.cloudtrail_trail_validation_enabled, - control.cloudtrail_trail_enabled_account, - control.cloudtrail_multi_region_trail_integrated_with_logs, + control.cloudtrail_trail_validation_enabled ] tags = merge(local.all_controls_cloudtrail_common_tags, { diff --git a/all_controls/docdb.sp b/all_controls/docdb.sp index f88113c6..7883539a 100644 --- a/all_controls/docdb.sp +++ b/all_controls/docdb.sp @@ -9,9 +9,9 @@ benchmark "all_controls_docdb" { description = "This section contains recommendations for configuring DocumentDB resources." children = [ control.docdb_cluster_backup_retention_period_7_days, - control.docdb_cluster_encryption_at_rest_enabled, - control.docdb_cluster_instance_logging_enabled, control.docdb_cluster_deletion_protection_enabled, + control.docdb_cluster_encryption_at_rest_enabled, + control.docdb_cluster_instance_logging_enabled ] tags = merge(local.all_controls_docdb_common_tags, { diff --git a/all_controls/ec2.sp b/all_controls/ec2.sp index fb604058..9be294d0 100644 --- a/all_controls/ec2.sp +++ b/all_controls/ec2.sp @@ -16,7 +16,27 @@ benchmark "all_controls_ec2" { control.ec2_instance_in_vpc, control.ec2_instance_no_amazon_key_pair, control.ec2_instance_no_high_level_finding_in_inspector_scan, + control.ec2_instance_no_iam_passrole_and_lambda_invoke_function_access, + control.ec2_instance_no_iam_role_attached_with_credentials_exposure_access, + control.ec2_instance_no_iam_role_with_alter_critical_s3_permissions_configuration, + control.ec2_instance_no_iam_role_with_cloud_log_tampering_access, + control.ec2_instance_no_iam_role_with_data_destruction_access, + control.ec2_instance_no_iam_role_with_database_management_write_access, + control.ec2_instance_no_iam_role_with_defense_evasion_impact_of_aws_security_services_access, + control.ec2_instance_no_iam_role_with_destruction_kms_access, + control.ec2_instance_no_iam_role_with_destruction_rds_access, + control.ec2_instance_no_iam_role_with_elastic_ip_hijacking_access, + control.ec2_instance_no_iam_role_with_new_group_creation_with_attached_policy_access, + control.ec2_instance_no_iam_role_with_new_role_creation_with_attached_policy_access, + control.ec2_instance_no_iam_role_with_new_user_creation_with_attached_policy_access, + control.ec2_instance_no_iam_role_with_org_write_access, + control.ec2_instance_no_iam_role_with_privilege_escalation_risk_access, + control.ec2_instance_no_iam_role_with_security_group_write_access, + control.ec2_instance_no_iam_role_with_write_access_to_resource_based_policies, + control.ec2_instance_no_iam_role_with_write_permission_on_critical_s3_configuration, + control.ec2_instance_no_iam_with_write_level_access, control.ec2_instance_no_launch_wizard_security_group, + control.ec2_instance_no_management_level_access, control.ec2_instance_not_publicly_accessible, control.ec2_instance_not_use_multiple_enis, control.ec2_instance_protected_by_backup_plan, @@ -27,27 +47,7 @@ benchmark "all_controls_ec2" { control.ec2_instance_virtualization_type_no_paravirtual, control.ec2_launch_template_not_publicly_accessible, control.ec2_stopped_instance_30_days, - control.ec2_transit_gateway_auto_cross_account_attachment_disabled, - control.ec2_instance_no_management_level_access, - control.ec2_instance_no_iam_role_with_data_destruction_access, - control.ec2_instance_no_iam_with_write_level_access, - control.ec2_instance_no_iam_role_with_database_management_write_access, - control.ec2_instance_no_iam_role_with_org_write_access, - control.ec2_instance_no_iam_role_with_privilege_escalation_risk_access, - control.ec2_instance_no_iam_role_with_new_group_creation_with_attached_policy_access, - control.ec2_instance_no_iam_role_with_new_role_creation_with_attached_policy_access, - control.ec2_instance_no_iam_role_with_new_user_creation_with_attached_policy_access, - control.ec2_instance_no_iam_role_with_write_access_to_resource_based_policies, - control.ec2_instance_no_iam_role_attached_with_credentials_exposure_access, - control.ec2_instance_no_iam_role_with_alter_critical_s3_permissions_configuration, - control.ec2_instance_no_iam_role_with_destruction_kms_access, - control.ec2_instance_no_iam_role_with_destruction_rds_access, - control.ec2_instance_no_iam_role_with_cloud_log_tampering_access, - control.ec2_instance_no_iam_role_with_write_permission_on_critical_s3_configuration, - control.ec2_instance_no_iam_role_with_security_group_write_access, - control.ec2_instance_no_iam_role_with_defense_evasion_impact_of_aws_security_services_access, - control.ec2_instance_no_iam_role_with_elastic_ip_hijacking_access, - control.ec2_instance_no_iam_passrole_and_lambda_invoke_function_access, + control.ec2_transit_gateway_auto_cross_account_attachment_disabled ] tags = merge(local.all_controls_ec2_common_tags, { diff --git a/all_controls/ecs.sp b/all_controls/ecs.sp index 4848f184..995e7b07 100644 --- a/all_controls/ecs.sp +++ b/all_controls/ecs.sp @@ -12,6 +12,7 @@ benchmark "all_controls_ecs" { control.ecs_cluster_container_instance_agent_connected, control.ecs_cluster_encryption_at_rest_enabled, control.ecs_cluster_instance_in_vpc, + control.ecs_cluster_no_active_services_count, control.ecs_cluster_no_registered_container_instance, control.ecs_service_fargate_using_latest_platform_version, control.ecs_service_load_balancer_attached, @@ -21,9 +22,8 @@ benchmark "all_controls_ecs" { control.ecs_task_definition_container_readonly_root_filesystem, control.ecs_task_definition_logging_enabled, control.ecs_task_definition_no_host_pid_mode, - control.ecs_task_definition_user_for_host_mode_check, control.ecs_task_definition_no_root_user, - control.ecs_cluster_no_active_services_count, + control.ecs_task_definition_user_for_host_mode_check ] tags = merge(local.all_controls_ecs_common_tags, { diff --git a/all_controls/eks.sp b/all_controls/eks.sp index cffc4ba2..bc49dc39 100644 --- a/all_controls/eks.sp +++ b/all_controls/eks.sp @@ -12,9 +12,9 @@ benchmark "all_controls_eks" { control.eks_cluster_endpoint_public_access_restricted, control.eks_cluster_endpoint_restrict_public_access, control.eks_cluster_no_default_vpc, - control.eks_cluster_secrets_encrypted, - control.eks_cluster_with_latest_kubernetes_version, control.eks_cluster_no_multiple_security_groups, + control.eks_cluster_secrets_encrypted, + control.eks_cluster_with_latest_kubernetes_version ] tags = merge(local.all_controls_eks_common_tags, { diff --git a/all_controls/elasticache.sp b/all_controls/elasticache.sp index 22d278da..116275d1 100644 --- a/all_controls/elasticache.sp +++ b/all_controls/elasticache.sp @@ -12,10 +12,10 @@ benchmark "all_controls_elasticache" { control.elasticache_cluster_no_default_subnet_group, control.elasticache_redis_cluster_automatic_backup_retention_15_days, control.elasticache_replication_group_auto_failover_enabled, + control.elasticache_replication_group_encryption_at_rest_enabled_with_kms_cmk, control.elasticache_replication_group_encryption_at_rest_enabled, control.elasticache_replication_group_encryption_in_transit_enabled, - control.elasticache_replication_group_redis_auth_enabled, - control.elasticache_replication_group_encryption_at_rest_enabled_with_kms_cmk, + control.elasticache_replication_group_redis_auth_enabled ] tags = merge(local.all_controls_elasticache_common_tags, { diff --git a/all_controls/elb.sp b/all_controls/elb.sp index 45c3bf4c..a1b5535e 100644 --- a/all_controls/elb.sp +++ b/all_controls/elb.sp @@ -25,14 +25,14 @@ benchmark "all_controls_elb" { control.elb_classic_lb_cross_zone_load_balancing_enabled, control.elb_classic_lb_desync_mitigation_mode, control.elb_classic_lb_multiple_az_configured, + control.elb_classic_lb_no_registered_instance, control.elb_classic_lb_use_ssl_certificate, control.elb_classic_lb_use_tls_https_listeners, + control.elb_classic_lb_with_inbound_rule, control.elb_classic_lb_with_outbound_rule, control.elb_listener_use_secure_ssl_cipher, control.elb_network_lb_tls_listener_security_policy_configured, - control.elb_tls_listener_protocol_version, - control.elb_classic_lb_no_registered_instance, - control.elb_classic_lb_with_inbound_rule, + control.elb_tls_listener_protocol_version ] tags = merge(local.all_controls_elb_common_tags, { diff --git a/all_controls/emr.sp b/all_controls/emr.sp index e525d246..5039906d 100644 --- a/all_controls/emr.sp +++ b/all_controls/emr.sp @@ -11,7 +11,7 @@ benchmark "all_controls_emr" { control.emr_account_public_access_blocked, control.emr_cluster_kerberos_enabled, control.emr_cluster_master_nodes_no_public_ip, - control.emr_cluster_security_configuration_enabled, + control.emr_cluster_security_configuration_enabled ] tags = merge(local.all_controls_emr_common_tags, { diff --git a/all_controls/kinesis.sp b/all_controls/kinesis.sp index e449c9cb..de919ab7 100644 --- a/all_controls/kinesis.sp +++ b/all_controls/kinesis.sp @@ -8,9 +8,9 @@ benchmark "all_controls_kinesis" { title = "Kinesis" description = "This section contains recommendations for configuring Kinesis resources." children = [ - control.kinesis_stream_encrypted_with_kms_cmk, - control.kinesis_stream_server_side_encryption_enabled, control.kinesis_firehose_delivery_stream_server_side_encryption_enabled, + control.kinesis_stream_encrypted_with_kms_cmk, + control.kinesis_stream_server_side_encryption_enabled ] tags = merge(local.all_controls_kinesis_common_tags, { diff --git a/all_controls/rds.sp b/all_controls/rds.sp index 8aec1701..dc33e814 100644 --- a/all_controls/rds.sp +++ b/all_controls/rds.sp @@ -9,9 +9,11 @@ benchmark "all_controls_rds" { description = "This section contains recommendations for configuring RDS resources." children = [ control.rds_db_cluster_aurora_backtracking_enabled, + control.rds_db_cluster_aurora_postgres_not_exposed_to_local_file_read_vulnerability, control.rds_db_cluster_aurora_protected_by_backup_plan, control.rds_db_cluster_copy_tags_to_snapshot_enabled, control.rds_db_cluster_deletion_protection_enabled, + control.rds_db_cluster_encrypted_with_cmk, control.rds_db_cluster_encryption_at_rest_enabled, control.rds_db_cluster_events_subscription, control.rds_db_cluster_iam_authentication_enabled, @@ -21,6 +23,7 @@ benchmark "all_controls_rds" { control.rds_db_instance_and_cluster_no_default_port, control.rds_db_instance_automatic_minor_version_upgrade_enabled, control.rds_db_instance_backup_enabled, + control.rds_db_instance_backup_retention_period_less_than_7, control.rds_db_instance_ca_certificate_expires_7_days, control.rds_db_instance_cloudwatch_logs_enabled, control.rds_db_instance_connections_encryption_enabled, @@ -34,17 +37,14 @@ benchmark "all_controls_rds" { control.rds_db_instance_logging_enabled, control.rds_db_instance_multiple_az_enabled, control.rds_db_instance_no_default_admin_name, + control.rds_db_instance_no_public_subnet, + control.rds_db_instance_postgres_not_exposed_to_local_file_read_vulnerability, control.rds_db_instance_prohibit_public_access, control.rds_db_instance_protected_by_backup_plan, control.rds_db_parameter_group_events_subscription, control.rds_db_security_group_events_subscription, control.rds_db_snapshot_encrypted_at_rest, - control.rds_db_snapshot_prohibit_public_access, - control.rds_db_cluster_aurora_postgres_not_exposed_to_local_file_read_vulnerability, - control.rds_db_cluster_encrypted_with_cmk, - control.rds_db_instance_backup_retention_period_less_than_7, - control.rds_db_instance_no_public_subnet, - control.rds_db_instance_postgres_not_exposed_to_local_file_read_vulnerability, + control.rds_db_snapshot_prohibit_public_access ] tags = merge(local.all_controls_rds_common_tags, { diff --git a/all_controls/redshift.sp b/all_controls/redshift.sp index eb422371..cc917608 100644 --- a/all_controls/redshift.sp +++ b/all_controls/redshift.sp @@ -11,6 +11,7 @@ benchmark "all_controls_redshift" { control.redshift_cluster_audit_logging_enabled, control.redshift_cluster_automatic_snapshots_min_7_days, control.redshift_cluster_automatic_upgrade_major_versions_enabled, + control.redshift_cluster_encrypted_with_cmk, control.redshift_cluster_encryption_in_transit_enabled, control.redshift_cluster_encryption_logging_enabled, control.redshift_cluster_enhanced_vpc_routing_enabled, @@ -18,8 +19,7 @@ benchmark "all_controls_redshift" { control.redshift_cluster_maintenance_settings_check, control.redshift_cluster_no_default_admin_name, control.redshift_cluster_no_default_database_name, - control.redshift_cluster_prohibit_public_access, - control.redshift_cluster_encrypted_with_cmk, + control.redshift_cluster_prohibit_public_access ] tags = merge(local.all_controls_redshift_common_tags, { diff --git a/all_controls/s3.sp b/all_controls/s3.sp index 25b88a62..c569b9dc 100644 --- a/all_controls/s3.sp +++ b/all_controls/s3.sp @@ -10,13 +10,14 @@ benchmark "all_controls_s3" { children = [ control.s3_bucket_acls_should_prohibit_user_access, control.s3_bucket_cross_region_replication_enabled, - control.s3_bucket_default_encryption_enabled, control.s3_bucket_default_encryption_enabled_kms, + control.s3_bucket_default_encryption_enabled, control.s3_bucket_enforces_ssl, control.s3_bucket_event_notifications_enabled, control.s3_bucket_lifecycle_policy_enabled, control.s3_bucket_logging_enabled, control.s3_bucket_mfa_delete_enabled, + control.s3_bucket_not_accessible_to_all_authenticated_user, control.s3_bucket_object_lock_enabled, control.s3_bucket_object_logging_enabled, control.s3_bucket_policy_restrict_public_access, @@ -28,9 +29,8 @@ benchmark "all_controls_s3" { control.s3_bucket_versioning_and_lifecycle_policy_enabled, control.s3_bucket_versioning_enabled, control.s3_public_access_block_account, - control.s3_public_access_block_bucket, control.s3_public_access_block_bucket_account, - control.s3_bucket_not_accessible_to_all_authenticated_user + control.s3_public_access_block_bucket ] tags = merge(local.all_controls_s3_common_tags, { diff --git a/all_controls/sns.sp b/all_controls/sns.sp index 25439064..c7dde255 100644 --- a/all_controls/sns.sp +++ b/all_controls/sns.sp @@ -10,10 +10,10 @@ benchmark "all_controls_sns" { children = [ control.sns_topic_encrypted_at_rest, control.sns_topic_notification_delivery_status_enabled, + control.sns_topic_policy_prohibit_cross_account_access, control.sns_topic_policy_prohibit_public_access, control.sns_topic_policy_prohibit_publishing_access, - control.sns_topic_policy_prohibit_subscription_access, - control.sns_topic_policy_prohibit_cross_account_access, + control.sns_topic_policy_prohibit_subscription_access ] tags = merge(local.all_controls_sns_common_tags, { diff --git a/all_controls/sqs.sp b/all_controls/sqs.sp index 83508782..753cad94 100644 --- a/all_controls/sqs.sp +++ b/all_controls/sqs.sp @@ -10,8 +10,8 @@ benchmark "all_controls_sqs" { children = [ control.sqs_queue_dead_letter_queue_configured, control.sqs_queue_encrypted_at_rest, - control.sqs_queue_policy_prohibit_public_access, control.sqs_queue_encrypted_with_kms_cmk, + control.sqs_queue_policy_prohibit_public_access ] tags = merge(local.all_controls_sqs_common_tags, { diff --git a/all_controls/ssm.sp b/all_controls/ssm.sp index 3f63279e..5692b495 100644 --- a/all_controls/ssm.sp +++ b/all_controls/ssm.sp @@ -12,7 +12,7 @@ benchmark "all_controls_ssm" { control.ssm_document_prohibit_public_access, control.ssm_managed_instance_compliance_association_compliant, control.ssm_managed_instance_compliance_patch_compliant, - control.ssm_parameter_encryption_enabled, + control.ssm_parameter_encryption_enabled ] tags = merge(local.all_controls_ssm_common_tags, { diff --git a/all_controls/vpc.sp b/all_controls/vpc.sp index 24f3bf2e..68d21ccc 100644 --- a/all_controls/vpc.sp +++ b/all_controls/vpc.sp @@ -17,6 +17,8 @@ benchmark "all_controls_vpc" { control.vpc_in_more_than_one_region, control.vpc_network_acl_remote_administration, control.vpc_network_acl_unused, + control.vpc_not_in_use, + control.vpc_peering_connection_no_cross_account_access, control.vpc_peering_connection_route_table_least_privilege, control.vpc_route_table_restrict_public_access_to_igw, control.vpc_security_group_allows_ingress_authorized_ports, @@ -26,9 +28,9 @@ benchmark "all_controls_vpc" { control.vpc_security_group_allows_ingress_to_oracle_ports, control.vpc_security_group_associated_to_eni, control.vpc_security_group_not_uses_launch_wizard_sg, - control.vpc_security_group_remote_administration, control.vpc_security_group_remote_administration_ipv4, control.vpc_security_group_remote_administration_ipv6, + control.vpc_security_group_remote_administration, control.vpc_security_group_restrict_ingress_common_ports_all, control.vpc_security_group_restrict_ingress_kafka_port, control.vpc_security_group_restrict_ingress_kibana_port, @@ -41,9 +43,7 @@ benchmark "all_controls_vpc" { control.vpc_subnet_auto_assign_public_ip_disabled, control.vpc_subnet_multi_az_enabled, control.vpc_subnet_public_and_private, - control.vpc_vpn_tunnel_up, - control.vpc_not_in_use, - control.vpc_peering_connection_no_cross_account_access, + control.vpc_vpn_tunnel_up ] tags = merge(local.all_controls_vpc_common_tags, { From 9944109abe404c1c8621afb3f83cd4d5c9806237 Mon Sep 17 00:00:00 2001 From: khushboosharma Date: Thu, 14 Dec 2023 14:50:41 +0530 Subject: [PATCH 22/25] update --- all_controls/cloudfront.sp | 2 +- all_controls/config.sp | 2 +- all_controls/ec2.sp | 2 +- conformance_pack/cloudfront.sp | 14 +++--- conformance_pack/cloudtrail.sp | 6 +-- conformance_pack/config.sp | 10 ++-- conformance_pack/docdb.sp | 2 +- conformance_pack/ec2.sp | 92 +++++++++++++++++----------------- conformance_pack/ecs.sp | 2 +- conformance_pack/elb.sp | 8 +-- conformance_pack/kinesis.sp | 2 +- conformance_pack/rds.sp | 2 +- conformance_pack/s3.sp | 8 +-- conformance_pack/sns.sp | 8 +-- conformance_pack/vpc.sp | 2 +- 15 files changed, 81 insertions(+), 81 deletions(-) diff --git a/all_controls/cloudfront.sp b/all_controls/cloudfront.sp index 2abb99c7..c62d5429 100644 --- a/all_controls/cloudfront.sp +++ b/all_controls/cloudfront.sp @@ -19,7 +19,7 @@ benchmark "all_controls_cloudfront" { control.cloudfront_distribution_no_non_existent_s3_origin, control.cloudfront_distribution_non_s3_origins_encryption_in_transit_enabled, control.cloudfront_distribution_origin_access_identity_enabled, - control.cloudfront_distribution_protocol_version_latest, + control.cloudfront_distribution_latest_tls_version, control.cloudfront_distribution_sni_enabled, control.cloudfront_distribution_use_custom_ssl_certificate, control.cloudfront_distribution_use_secure_cipher, diff --git a/all_controls/config.sp b/all_controls/config.sp index 0394ac1e..131d66d8 100644 --- a/all_controls/config.sp +++ b/all_controls/config.sp @@ -9,7 +9,7 @@ benchmark "all_controls_config" { description = "This section contains recommendations for configuring Config resources." children = [ control.config_enabled_all_regions, - control.config_no_failed_deliver_logs + control.config_configuration_recorder_no_failed_deliver_logs ] tags = merge(local.all_controls_config_common_tags, { diff --git a/all_controls/ec2.sp b/all_controls/ec2.sp index 9be294d0..ec5dbe33 100644 --- a/all_controls/ec2.sp +++ b/all_controls/ec2.sp @@ -36,7 +36,7 @@ benchmark "all_controls_ec2" { control.ec2_instance_no_iam_role_with_write_permission_on_critical_s3_configuration, control.ec2_instance_no_iam_with_write_level_access, control.ec2_instance_no_launch_wizard_security_group, - control.ec2_instance_no_management_level_access, + control.ec2_instance_no_iam_role_with_management_level_access, control.ec2_instance_not_publicly_accessible, control.ec2_instance_not_use_multiple_enis, control.ec2_instance_protected_by_backup_plan, diff --git a/conformance_pack/cloudfront.sp b/conformance_pack/cloudfront.sp index f481f8cc..9590e400 100644 --- a/conformance_pack/cloudfront.sp +++ b/conformance_pack/cloudfront.sp @@ -158,10 +158,10 @@ control "cloudfront_distribution_field_level_encryption_enabled" { tags = local.conformance_pack_cloudfront_common_tags } -control "cloudfront_distribution_protocol_version_latest" { - title = "CloudFront distributions should have latest TLS protocol version" - description = "This control checks whether an AWS CloudFront distribution uses latest protocol version." - query = query.cloudfront_distribution_protocol_version_latest +control "cloudfront_distribution_latest_tls_version" { + title = "CloudFront distributions should have latest TLS version" + description = "This control checks whether CloudFront distribution uses latest TLS version." + query = query.cloudfront_distribution_latest_tls_version tags = local.conformance_pack_cloudfront_common_tags } @@ -572,7 +572,7 @@ query "cloudfront_distribution_no_non_existent_s3_origin" { EOQ } -query "cloudfront_distribution_protocol_version_latest" { +query "cloudfront_distribution_latest_tls_version" { sql = <<-EOQ select arn as resource, @@ -583,8 +583,8 @@ query "cloudfront_distribution_protocol_version_latest" { end as status, case when viewer_certificate ->> 'CertificateSource' = 'cloudfront' - and viewer_certificate ->> 'MinimumProtocolVersion' = 'TLSv1.2_2021' then title || ' uses latest protocol version.' - else title || ' not uses latest protocol version.' + and viewer_certificate ->> 'MinimumProtocolVersion' = 'TLSv1.2_2021' then title || ' uses latest TLS version.' + else title || ' not uses latest TLS version.' end as reason ${local.tag_dimensions_sql} ${local.common_dimensions_sql} diff --git a/conformance_pack/cloudtrail.sp b/conformance_pack/cloudtrail.sp index cd21d77f..6c60b936 100644 --- a/conformance_pack/cloudtrail.sp +++ b/conformance_pack/cloudtrail.sp @@ -239,7 +239,7 @@ control "cloudtrail_trail_bucket_mfa_enabled" { control "cloudtrail_trail_enabled_account" { title = "At least one CloudTrail trail should be enabled in the AWS account" - description = "Ensure that at least one CloudTrail trail is be enabled in the AWS account." + description = "Ensure that at least one CloudTrail trail is enabled in the AWS account." query = query.cloudtrail_trail_enabled_account tags = local.conformance_pack_cloudtrail_common_tags @@ -247,7 +247,7 @@ control "cloudtrail_trail_enabled_account" { control "cloudtrail_multi_region_trail_integrated_with_logs" { title = "CloudTrail multi region trails should be integrated with CloudWatch logs" - description = "Ensure that CloudTrail multi region trails are itegrated with CloudWatch logs." + description = "Ensure that CloudTrail multi region trail is itegrated with CloudWatch logs." query = query.cloudtrail_multi_region_trail_integrated_with_logs tags = local.conformance_pack_cloudtrail_common_tags @@ -803,7 +803,7 @@ query "cloudtrail_multi_region_trail_integrated_with_logs" { end as status, case when log_group_arn != 'null' and ((latest_delivery_time) > current_date - 1) then title || ' multi region trail integrated with CloudWatch logs.' - else title || ' multi region trsail not integrated with CloudWatch logs.' + else title || ' multi region trail not integrated with CloudWatch logs.' end as reason ${local.tag_dimensions_sql} ${local.common_dimensions_sql} diff --git a/conformance_pack/config.sp b/conformance_pack/config.sp index 9aa63ed3..d1ec237a 100644 --- a/conformance_pack/config.sp +++ b/conformance_pack/config.sp @@ -21,10 +21,10 @@ control "config_enabled_all_regions" { }) } -control "config_no_failed_deliver_logs" { - title = "Config should not fail to deliver logs" - description = "This control checks whether AWS Config fails to deliver logs. This control is non-compliant if AWS Config fails to deliver logs." - query = query.config_no_failed_deliver_logs +control "config_configuration_recorder_no_failed_deliver_logs" { + title = "Config configuration recorder should not fail to deliver logs" + description = "This control checks whether Config configuration recorder fails to deliver logs. This control is non-compliant if Config configuration recorder fails to deliver logs." + query = query.config_configuration_recorder_no_failed_deliver_logs tags = local.conformance_pack_config_common_tags } @@ -88,7 +88,7 @@ query "config_enabled_all_regions" { EOQ } -query "config_no_failed_deliver_logs" { +query "config_configuration_recorder_no_failed_deliver_logs" { sql = <<-EOQ select arn as resource, diff --git a/conformance_pack/docdb.sp b/conformance_pack/docdb.sp index 6a879e2a..27432c42 100644 --- a/conformance_pack/docdb.sp +++ b/conformance_pack/docdb.sp @@ -102,7 +102,7 @@ query "docdb_cluster_deletion_protection_enabled" { end status, case when deletion_protection then title || ' deletion protection enabled.' - else title || ' deletion protection not enabled.' + else title || ' deletion protection disabled.' end reason ${local.tag_dimensions_sql} ${local.common_dimensions_sql} diff --git a/conformance_pack/ec2.sp b/conformance_pack/ec2.sp index 7f255375..0d270e6a 100644 --- a/conformance_pack/ec2.sp +++ b/conformance_pack/ec2.sp @@ -284,17 +284,17 @@ control "ec2_ami_restrict_public_access" { tags = local.conformance_pack_ec2_common_tags } -control "ec2_instance_no_management_level_access" { +control "ec2_instance_no_iam_role_with_management_level_access" { title = "EC2 instance IAM role should not allow management level access" - description = "This control checks whether EC2 instance IAM roles should not allow management level access." - query = query.ec2_instance_no_management_level_access + description = "This control ensures that EC2 instance IAM role does not not allow management level access." + query = query.ec2_instance_no_iam_role_with_management_level_access tags = local.conformance_pack_ec2_common_tags } control "ec2_instance_no_iam_role_with_data_destruction_access" { title = "EC2 instance IAM role should not allow data destruction access" - description = "This control checks whether EC2 instance IAM roles should not allow data destruction access." + description = "This control ensures that EC2 instance IAM role does not allow data destruction access." query = query.ec2_instance_no_iam_role_with_data_destruction_access tags = local.conformance_pack_ec2_common_tags @@ -302,7 +302,7 @@ control "ec2_instance_no_iam_role_with_data_destruction_access" { control "ec2_instance_no_iam_with_write_level_access" { title = "EC2 instance IAM role should not allow write level access" - description = "This control checks whether EC2 instance IAM roles should not allow write level access." + description = "This control ensures that EC2 instance IAM role does not allow write level access." query = query.ec2_instance_no_iam_with_write_level_access tags = local.conformance_pack_ec2_common_tags @@ -310,7 +310,7 @@ control "ec2_instance_no_iam_with_write_level_access" { control "ec2_instance_no_iam_role_with_database_management_write_access" { title = "EC2 instance IAM role should not allow database management write access" - description = "This control checks whether EC2 instance IAM roles should not allow database management write access." + description = "This control ensures that EC2 instance IAM role does not allow database management write access." query = query.ec2_instance_no_iam_role_with_database_management_write_access tags = local.conformance_pack_ec2_common_tags @@ -318,7 +318,7 @@ control "ec2_instance_no_iam_role_with_database_management_write_access" { control "ec2_instance_no_iam_role_with_org_write_access" { title = "EC2 instance IAM role should not allow oraganization write access" - description = "This control checks whether EC2 instance IAM roles should not allow oraganization write access." + description = "This control ensures that EC2 instance IAM role does not allow oraganization write access." query = query.ec2_instance_no_iam_role_with_org_write_access tags = local.conformance_pack_ec2_common_tags @@ -326,7 +326,7 @@ control "ec2_instance_no_iam_role_with_org_write_access" { control "ec2_instance_no_iam_role_with_privilege_escalation_risk_access" { title = "EC2 instance IAM role should not allow privilege escalation risk access" - description = "This control checks whether EC2 instance IAM roles should not allow privilege escalation risk access." + description = "This control ensures that EC2 instance IAM role does not allow privilege escalation risk access." query = query.ec2_instance_no_iam_role_with_privilege_escalation_risk_access tags = local.conformance_pack_ec2_common_tags @@ -334,7 +334,7 @@ control "ec2_instance_no_iam_role_with_privilege_escalation_risk_access" { control "ec2_instance_no_iam_role_with_new_group_creation_with_attached_policy_access" { title = "EC2 instance IAM role should not allow new group creation with attached policy access" - description = "This control checks whether EC2 instance IAM roles should not allow new group creation with attached policy access." + description = "This control ensures that EC2 instance IAM role does not allow new group creation with attached policy access." query = query.ec2_instance_no_iam_role_with_new_group_creation_with_attached_policy_access tags = local.conformance_pack_ec2_common_tags @@ -342,7 +342,7 @@ control "ec2_instance_no_iam_role_with_new_group_creation_with_attached_policy_a control "ec2_instance_no_iam_role_with_new_role_creation_with_attached_policy_access" { title = "EC2 instance IAM role should not allow new role creation with attached policy access" - description = "This control checks whether EC2 instance IAM roles should not allow new role creation with attached policy access." + description = "This control ensures that EC2 instance IAM role does not allow new role creation with attached policy access." query = query.ec2_instance_no_iam_role_with_new_role_creation_with_attached_policy_access tags = local.conformance_pack_ec2_common_tags @@ -350,7 +350,7 @@ control "ec2_instance_no_iam_role_with_new_role_creation_with_attached_policy_ac control "ec2_instance_no_iam_role_with_new_user_creation_with_attached_policy_access" { title = "EC2 instance IAM role should not allow new user creation with attached policy access" - description = "This control checks whether EC2 instance IAM roles should not allow new user creation with attached policy access." + description = "This control ensures that EC2 instance IAM role does not allow new user creation with attached policy access." query = query.ec2_instance_no_iam_role_with_new_user_creation_with_attached_policy_access tags = local.conformance_pack_ec2_common_tags @@ -358,7 +358,7 @@ control "ec2_instance_no_iam_role_with_new_user_creation_with_attached_policy_ac control "ec2_instance_no_iam_role_with_write_access_to_resource_based_policies" { title = "EC2 instance IAM role should not allow write access to resource based policies" - description = "This control checks whether EC2 instance IAM roles should not allow write access to resource based policies." + description = "This control ensures that EC2 instance IAM role does not allow write access to resource based policies." query = query.ec2_instance_no_iam_role_with_write_access_to_resource_based_policies tags = local.conformance_pack_ec2_common_tags @@ -366,7 +366,7 @@ control "ec2_instance_no_iam_role_with_write_access_to_resource_based_policies" control "ec2_instance_no_iam_role_attached_with_credentials_exposure_access" { title = "EC2 instance IAM role should not be attached with credentials exposure access" - description = "This control checks whether EC2 instance IAM roles should not be attached with credentials exposure access." + description = "This control ensures that EC2 instance IAM role should not be attached with credentials exposure access." query = query.ec2_instance_no_iam_role_attached_with_credentials_exposure_access tags = local.conformance_pack_ec2_common_tags @@ -374,7 +374,7 @@ control "ec2_instance_no_iam_role_attached_with_credentials_exposure_access" { control "ec2_instance_no_iam_role_with_alter_critical_s3_permissions_configuration" { title = "EC2 instance IAM role should not allow to alter critical s3 permissions configuration" - description = "This control checks whether EC2 instance IAM roles should not allow to alter critical s3 permissions configuration." + description = "This control ensures that EC2 instance IAM role does not allow to alter critical s3 permissions configuration." query = query.ec2_instance_no_iam_role_with_alter_critical_s3_permissions_configuration tags = local.conformance_pack_ec2_common_tags @@ -382,7 +382,7 @@ control "ec2_instance_no_iam_role_with_alter_critical_s3_permissions_configurati control "ec2_instance_no_iam_role_with_destruction_kms_access" { title = "EC2 instance IAM role should not allow destruction KMS access" - description = "This control checks whether EC2 instance IAM roles should not allow destruction KMS access." + description = "This control ensures that EC2 instance IAM roles does not allow destruction KMS access." query = query.ec2_instance_no_iam_role_with_destruction_kms_access tags = local.conformance_pack_ec2_common_tags @@ -390,7 +390,7 @@ control "ec2_instance_no_iam_role_with_destruction_kms_access" { control "ec2_instance_no_iam_role_with_destruction_rds_access" { title = "EC2 instance IAM role should not allow destruction RDS access" - description = "This control checks whether EC2 instance IAM roles should not allow destruction RDS access." + description = "This control ensures that EC2 instance IAM roles does not allow destruction RDS access." query = query.ec2_instance_no_iam_role_with_destruction_rds_access tags = local.conformance_pack_ec2_common_tags @@ -398,7 +398,7 @@ control "ec2_instance_no_iam_role_with_destruction_rds_access" { control "ec2_instance_no_iam_role_with_cloud_log_tampering_access" { title = "EC2 instance IAM role should not allow cloud log tampering access" - description = "This control checks whether EC2 instance IAM roles should not allow cloud log tampering access." + description = "This control ensures that EC2 instance IAM roles does not allow cloud log tampering access." query = query.ec2_instance_no_iam_role_with_cloud_log_tampering_access tags = local.conformance_pack_ec2_common_tags @@ -406,7 +406,7 @@ control "ec2_instance_no_iam_role_with_cloud_log_tampering_access" { control "ec2_instance_no_iam_role_with_write_permission_on_critical_s3_configuration" { title = "EC2 instance IAM role should not allow write permission on critical s3 configuration" - description = "This control checks whether EC2 instance IAM roles should not allow write permission on critical s3 configuration." + description = "This control ensures that EC2 instance IAM roles does not allow write permission on critical s3 configuration." query = query.ec2_instance_no_iam_role_with_write_permission_on_critical_s3_configuration tags = local.conformance_pack_ec2_common_tags @@ -414,7 +414,7 @@ control "ec2_instance_no_iam_role_with_write_permission_on_critical_s3_configura control "ec2_instance_no_iam_role_with_security_group_write_access" { title = "EC2 instance IAM role should not allow security group write access" - description = "This control checks whether EC2 instance IAM roles should not allow security group write access." + description = "This control ensures that EC2 instance IAM roles does not allow security group write access." query = query.ec2_instance_no_iam_role_with_security_group_write_access tags = local.conformance_pack_ec2_common_tags @@ -422,7 +422,7 @@ control "ec2_instance_no_iam_role_with_security_group_write_access" { control "ec2_instance_no_iam_role_with_defense_evasion_impact_of_aws_security_services_access" { title = "EC2 instance IAM role should not allow defense evasion impact of AWS security services access" - description = "This control checks whether EC2 instance IAM role should not allow defense evasion impact of AWS security services access." + description = "This control ensures that EC2 instance IAM role does not allow defense evasion impact of AWS security services access." query = query.ec2_instance_no_iam_role_with_defense_evasion_impact_of_aws_security_services_access tags = local.conformance_pack_ec2_common_tags @@ -430,7 +430,7 @@ control "ec2_instance_no_iam_role_with_defense_evasion_impact_of_aws_security_se control "ec2_instance_no_iam_role_with_elastic_ip_hijacking_access" { title = "EC2 instance IAM role should not allow elastic IP hijacking access." - description = "This control checks whether EC2 instance IAM role should not allow elastic IP hijacking access." + description = "This control ensures that EC2 instance IAM role does not allow elastic IP hijacking access." query = query.ec2_instance_no_iam_role_with_elastic_ip_hijacking_access tags = local.conformance_pack_ec2_common_tags @@ -438,7 +438,7 @@ control "ec2_instance_no_iam_role_with_elastic_ip_hijacking_access" { control "ec2_instance_no_iam_passrole_and_lambda_invoke_function_access" { title = "EC2 instance IAM should not allow pass role and lambda invoke function access." - description = "This control checks whether EC2 instance IAM role should not allow pass role and lambda invoke function access." + description = "This control ensures that EC2 instance IAM role does not allow pass role and lambda invoke function access." query = query.ec2_instance_no_iam_passrole_and_lambda_invoke_function_access tags = local.conformance_pack_ec2_common_tags @@ -883,7 +883,7 @@ query "ec2_launch_template_not_publicly_accessible" { EOQ } -query "ec2_instance_no_management_level_access" { +query "ec2_instance_no_iam_role_with_management_level_access" { sql = <<-EOQ with iam_roles as ( select @@ -1111,8 +1111,8 @@ query "ec2_instance_no_iam_role_with_org_write_access" { else 'alarm' end status, case - when p.arn is null then title || ' has no database management write level access.' - else title || ' has database management write level access.' + when p.arn is null then title || ' has no organization write access.' + else title || ' has organization write access.' end as reason ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "i.")} ${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "i.")} @@ -1205,8 +1205,8 @@ query "ec2_instance_no_iam_role_with_new_group_creation_with_attached_policy_acc else 'alarm' end status, case - when p.arn is null then title || ' has no new group creation with attached policy access.' - else title || ' has new group creation with attached policy access.' + when p.arn is null then title || ' has no new group creation access with attached policy.' + else title || ' has new group creation access with attached policy.' end as reason ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "i.")} ${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "i.")} @@ -1251,8 +1251,8 @@ query "ec2_instance_no_iam_role_with_new_role_creation_with_attached_policy_acce else 'alarm' end status, case - when p.arn is null then title || ' has no new role creation with attached policy access.' - else title || ' has new role creation with attached policy access.' + when p.arn is null then title || ' has no new role creation access with attached policy .' + else title || ' has new role creation access with attached policy.' end as reason ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "i.")} ${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "i.")} @@ -1297,11 +1297,11 @@ query "ec2_instance_no_iam_role_with_new_user_creation_with_attached_policy_acce else 'alarm' end status, case - when p.arn is null then title || ' has no new user creation with attached policy access.' - else title || ' has new user creation with attached policy access.' + when p.arn is null then title || ' has no new user creation access with attached policy.' + else title || ' has new user creation access with attached policy.' end as reason - --${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "i.")} - -- ${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "i.")} + ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "i.")} + ${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "i.")} from aws_ec2_instance as i left join iam_roles as r on r.intance_arn = i.arn @@ -1344,8 +1344,8 @@ query "ec2_instance_no_iam_role_with_write_access_to_resource_based_policies" { else 'alarm' end status, case - when p.arn is null then title || ' has no write access permission to resource based policiess.' - else title || ' has write access permission to resource based policiess.' + when p.arn is null then title || ' has no write access permission to resource based policies.' + else title || ' has write access permission to resource based policies.' end as reason ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "i.")} ${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "i.")} @@ -1394,8 +1394,8 @@ query "ec2_instance_no_iam_role_attached_with_credentials_exposure_access" { when p.arn is null then title || ' has no IAM role attached with credentials exposure permissions.' else title || ' has IAM role attached with credentials exposure permissions.' end as reason - --${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "i.")} - -- ${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "i.")} + ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "i.")} + ${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "i.")} from aws_ec2_instance as i left join iam_roles as r on r.intance_arn = i.arn @@ -1441,8 +1441,8 @@ query "ec2_instance_no_iam_role_with_alter_critical_s3_permissions_configuration when p.arn is null then title || ' has no IAM role with alter critical s3 permissions configuration.' else title || ' has IAM role with alter critical s3 permissions configuration.' end as reason - --${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "i.")} - -- ${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "i.")} + ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "i.")} + ${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "i.")} from aws_ec2_instance as i left join iam_roles as r on r.intance_arn = i.arn @@ -1483,8 +1483,8 @@ query "ec2_instance_no_iam_role_with_destruction_kms_access" { else 'alarm' end status, case - when p.arn is null then title || ' has no IAM role with destruction KMS permission' - else title || ' has IAM role with destruction KMS permission' + when p.arn is null then title || ' has no IAM role with destruction KMS permission.' + else title || ' has IAM role with destruction KMS permission.' end as reason ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "i.")} ${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "i.")} @@ -1528,8 +1528,8 @@ query "ec2_instance_no_iam_role_with_destruction_rds_access" { else 'alarm' end status, case - when p.arn is null then title || ' has no IAM role with destruction RDS permission' - else title || ' has IAM role with destruction RDS permission' + when p.arn is null then title || ' has no IAM role with destruction RDS permission.' + else title || ' has IAM role with destruction RDS permission.' end as reason ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "i.")} ${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "i.")} @@ -1708,8 +1708,8 @@ query "ec2_instance_no_iam_role_with_defense_evasion_impact_of_aws_security_serv else 'alarm' end status, case - when p.arn is null then title || ' has no IAM role With defense evasion impact of AWS security services access.' - else title || ' has IAM role With defense evasion impact of AWS security services access.' + when p.arn is null then title || ' has no IAM role with defense evasion impact of AWS security services access.' + else title || ' has IAM role with defense evasion impact of AWS security services access.' end as reason ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "i.")} ${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "i.")} @@ -1799,7 +1799,7 @@ query "ec2_instance_no_iam_passrole_and_lambda_invoke_function_access" { end status, case when p.arn is null then title || ' has no IAM pass role and lambda invoke function access.' - else title || ' has IAM IAM pass role and lambda invoke function access.' + else title || ' has IAM pass role and lambda invoke function access.' end as reason ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "i.")} ${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "i.")} diff --git a/conformance_pack/ecs.sp b/conformance_pack/ecs.sp index b281b7fe..a80f124b 100644 --- a/conformance_pack/ecs.sp +++ b/conformance_pack/ecs.sp @@ -141,7 +141,7 @@ control "ecs_service_fargate_using_latest_platform_version" { control "ecs_task_definition_no_root_user" { title = "ECS task definitions should not use root user." - description = "This control checks if ECS task definitions have root user. This control fails if the ECS task definitions .have root user" + description = "This control checks if ECS task definitions have root user. This control fails if the ECS task definitions have root user." query = query.ecs_task_definition_no_root_user tags = local.conformance_pack_ecs_common_tags diff --git a/conformance_pack/elb.sp b/conformance_pack/elb.sp index b89f274d..c8ce2870 100644 --- a/conformance_pack/elb.sp +++ b/conformance_pack/elb.sp @@ -323,7 +323,7 @@ control "elb_application_gateway_network_lb_multiple_az_configured" { control "elb_classic_lb_no_registered_instance" { title = "ELB classic load balancers should have at least one registered instance" - description = "This control checks whether an ELB classic load balancers has registered instances. The control fails if an ELB classic load balancer has zero instances registered." + description = "This control checks whether an ELB classic load balancer has registered instances. The control fails if an ELB classic load balancer has zero instances registered." query = query.elb_classic_lb_no_registered_instance tags = local.foundational_security_elb_common_tags @@ -331,7 +331,7 @@ control "elb_classic_lb_no_registered_instance" { control "elb_classic_lb_with_inbound_rule" { title = "ELB classic load balancers should have at least one inbound rule" - description = "Ensure classic load balancers have at least one inbound rule in all the attached security groups." + description = "Ensure classic load balancer have at least one inbound rule in all the attached security groups." query = query.elb_classic_lb_with_inbound_rule tags = local.foundational_security_elb_common_tags @@ -1061,8 +1061,8 @@ query "elb_classic_lb_with_inbound_rule" { end as status, case when c.security_groups is null then c.title || ' does not have security group attached.' - when i.arn is not null then c.title || ' all attached security groups do not have inbound rule(s).' - else c.title || ' all attached security groups have inbound rule(s).' + when i.arn is not null then c.title || ' all attached security groups do not have inbound rule(s).' + else c.title || ' all attached security groups have inbound rule(s).' end as reason ${local.tag_dimensions_sql} ${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "c.")} diff --git a/conformance_pack/kinesis.sp b/conformance_pack/kinesis.sp index e2dd2c23..d1ea21be 100644 --- a/conformance_pack/kinesis.sp +++ b/conformance_pack/kinesis.sp @@ -27,7 +27,7 @@ control "kinesis_stream_encrypted_with_kms_cmk" { control "kinesis_firehose_delivery_stream_server_side_encryption_enabled" { title = "Kinesis firehose delivery streams should have server side encryption enabled" - description = "Enable server side encryption (SSE) of your AWS Kinesis firehose delivery stream, in order to protect your data and metadata from breaches or unauthorized access, and fulfill compliance requirements for data-at-rest encryption within your organization." + description = "Enable server side encryption (SSE) of your Kinesis firehose delivery stream, in order to protect your data and metadata from breaches or unauthorized access, and fulfill compliance requirements for data-at-rest encryption within your organization." query = query.kinesis_firehose_delivery_stream_server_side_encryption_enabled tags = local.conformance_pack_kinesis_common_tags diff --git a/conformance_pack/rds.sp b/conformance_pack/rds.sp index c2ff5ccc..3f6866fb 100644 --- a/conformance_pack/rds.sp +++ b/conformance_pack/rds.sp @@ -491,7 +491,7 @@ control "rds_db_instance_backup_retention_period_less_than_7" { } control "rds_db_instance_no_public_subnet" { - title = "RDS DB instances should not use public_subnet" + title = "RDS DB instances should not use public subnet" description = "This control checks if RDS DB instance is configured with public subnet as there is a risk of exposing sensitive data." query = query.rds_db_instance_no_public_subnet diff --git a/conformance_pack/s3.sp b/conformance_pack/s3.sp index d3ab95e6..82cb91ca 100644 --- a/conformance_pack/s3.sp +++ b/conformance_pack/s3.sp @@ -380,8 +380,8 @@ control "s3_bucket_acls_should_prohibit_user_access" { } control "s3_bucket_not_accessible_to_all_authenticated_user" { - title = "S3 buckets ACL should not all accessible to all authenticated user" - description = "This control checks whether AWS S3 buckets ACLs allow access to all authenticated users." + title = "S3 bucket ACLs should not be accessible to all authenticated user" + description = "This control checks whether AWS S3 bucket ACL allow access to all authenticated users." query = query.s3_bucket_not_accessible_to_all_authenticated_user tags =local.conformance_pack_s3_common_tags @@ -1158,8 +1158,8 @@ query "s3_bucket_not_accessible_to_all_authenticated_user" { else 'alarm' end status, case - when p.name is null then b.title || ' not accessible to all authenticated_user.' - else b.title || ' accessible to all authenticated_user.' + when p.name is null then b.title || ' not accessible to all authenticated user.' + else b.title || ' accessible to all authenticated user.' end as reason ${local.tag_dimensions_sql} ${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "b.")} diff --git a/conformance_pack/sns.sp b/conformance_pack/sns.sp index f28e5328..c2b45742 100644 --- a/conformance_pack/sns.sp +++ b/conformance_pack/sns.sp @@ -48,15 +48,15 @@ control "sns_topic_notification_delivery_status_enabled" { control "sns_topic_policy_prohibit_publishing_access" { title = "SNS topic policies should prohibit publishing access" - description = "Manage access to resources in the AWS Cloud by ensuring AWS SNS topics cannot accessed publicly for .publishing" + description = "Manage access to resources in the AWS Cloud by ensuring SNS topics cannot accessed publicly for publishing." query = query.sns_topic_policy_prohibit_publishing_access tags = local.conformance_pack_sns_common_tags } control "sns_topic_policy_prohibit_subscription_access" { - title = "SNS topic policies should subscription public access" - description = "Manage access to resources in the AWS Cloud by ensuring AWS SNS topics cannot accessed publicly for subscription" + title = "SNS topic policies should prohibit subscription public access" + description = "Manage access to resources in the AWS Cloud by ensuring SNS topics cannot accessed publicly for subscription." query = query.sns_topic_policy_prohibit_subscription_access tags = local.conformance_pack_sns_common_tags @@ -64,7 +64,7 @@ control "sns_topic_policy_prohibit_subscription_access" { control "sns_topic_policy_prohibit_cross_account_access" { title = "SNS topic policies should prohibit cross account access" - description = "Manage access to resources in the AWS Cloud by ensuring AWS SNS topics does not have cross account access." + description = "Manage access to resources in the AWS Cloud by ensuring SNS topics does not have cross account access." query = query.sns_topic_policy_prohibit_cross_account_access tags = local.conformance_pack_sns_common_tags diff --git a/conformance_pack/vpc.sp b/conformance_pack/vpc.sp index 825f1fd3..0b8f0b9c 100644 --- a/conformance_pack/vpc.sp +++ b/conformance_pack/vpc.sp @@ -1849,7 +1849,7 @@ query "vpc_vpn_gateway_per_region_less_then_4" { else 'ok' end as status, r.region || ' region has ' || coalesce(v.count, 0) || ' VPN gateway(s).' as reason - --${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "r.")} + ${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "r.")} from aws_region as r left join vpn_gateway_per_region as v on r.account_id = v.account_id and r.region = v.region; From 3ab356e218655f950397e94d40c9fc7be41989f7 Mon Sep 17 00:00:00 2001 From: khushboosharma Date: Mon, 18 Dec 2023 22:55:46 +0530 Subject: [PATCH 23/25] update --- all_controls/cloudfront.sp | 2 +- all_controls/cloudtrail.sp | 2 +- all_controls/config.sp | 2 +- all_controls/ec2.sp | 4 ++-- all_controls/elasticache.sp | 2 +- all_controls/s3.sp | 6 +++--- all_controls/vpc.sp | 2 +- conformance_pack/ec2.sp | 38 ++++++++++++++++++------------------- conformance_pack/elb.sp | 2 +- conformance_pack/kinesis.sp | 4 ++-- conformance_pack/sns.sp | 13 +++++-------- conformance_pack/vpc.sp | 2 +- 12 files changed, 38 insertions(+), 41 deletions(-) diff --git a/all_controls/cloudfront.sp b/all_controls/cloudfront.sp index c62d5429..8d7c107a 100644 --- a/all_controls/cloudfront.sp +++ b/all_controls/cloudfront.sp @@ -14,12 +14,12 @@ benchmark "all_controls_cloudfront" { control.cloudfront_distribution_encryption_in_transit_enabled, control.cloudfront_distribution_field_level_encryption_enabled, control.cloudfront_distribution_geo_restrictions_enabled, + control.cloudfront_distribution_latest_tls_version, control.cloudfront_distribution_logging_enabled, control.cloudfront_distribution_no_deprecated_ssl_protocol, control.cloudfront_distribution_no_non_existent_s3_origin, control.cloudfront_distribution_non_s3_origins_encryption_in_transit_enabled, control.cloudfront_distribution_origin_access_identity_enabled, - control.cloudfront_distribution_latest_tls_version, control.cloudfront_distribution_sni_enabled, control.cloudfront_distribution_use_custom_ssl_certificate, control.cloudfront_distribution_use_secure_cipher, diff --git a/all_controls/cloudtrail.sp b/all_controls/cloudtrail.sp index 85fa1e2f..25fc14df 100644 --- a/all_controls/cloudtrail.sp +++ b/all_controls/cloudtrail.sp @@ -18,8 +18,8 @@ benchmark "all_controls_cloudtrail" { control.cloudtrail_s3_object_write_events_audit_enabled, control.cloudtrail_security_trail_enabled, control.cloudtrail_trail_bucket_mfa_enabled, - control.cloudtrail_trail_enabled_account, control.cloudtrail_trail_enabled, + control.cloudtrail_trail_enabled_account, control.cloudtrail_trail_insight_selectors_and_logging_enabled, control.cloudtrail_trail_integrated_with_logs, control.cloudtrail_trail_logs_encrypted_with_kms_cmk, diff --git a/all_controls/config.sp b/all_controls/config.sp index 131d66d8..913ed322 100644 --- a/all_controls/config.sp +++ b/all_controls/config.sp @@ -8,8 +8,8 @@ benchmark "all_controls_config" { title = "Config" description = "This section contains recommendations for configuring Config resources." children = [ - control.config_enabled_all_regions, control.config_configuration_recorder_no_failed_deliver_logs + control.config_enabled_all_regions ] tags = merge(local.all_controls_config_common_tags, { diff --git a/all_controls/ec2.sp b/all_controls/ec2.sp index ec5dbe33..afb4050a 100644 --- a/all_controls/ec2.sp +++ b/all_controls/ec2.sp @@ -26,6 +26,7 @@ benchmark "all_controls_ec2" { control.ec2_instance_no_iam_role_with_destruction_kms_access, control.ec2_instance_no_iam_role_with_destruction_rds_access, control.ec2_instance_no_iam_role_with_elastic_ip_hijacking_access, + control.ec2_instance_no_iam_role_with_management_level_access, control.ec2_instance_no_iam_role_with_new_group_creation_with_attached_policy_access, control.ec2_instance_no_iam_role_with_new_role_creation_with_attached_policy_access, control.ec2_instance_no_iam_role_with_new_user_creation_with_attached_policy_access, @@ -36,7 +37,6 @@ benchmark "all_controls_ec2" { control.ec2_instance_no_iam_role_with_write_permission_on_critical_s3_configuration, control.ec2_instance_no_iam_with_write_level_access, control.ec2_instance_no_launch_wizard_security_group, - control.ec2_instance_no_iam_role_with_management_level_access, control.ec2_instance_not_publicly_accessible, control.ec2_instance_not_use_multiple_enis, control.ec2_instance_protected_by_backup_plan, @@ -47,7 +47,7 @@ benchmark "all_controls_ec2" { control.ec2_instance_virtualization_type_no_paravirtual, control.ec2_launch_template_not_publicly_accessible, control.ec2_stopped_instance_30_days, - control.ec2_transit_gateway_auto_cross_account_attachment_disabled + control.ec2_transit_gateway_auto_cross_account_attachment_disabled, ] tags = merge(local.all_controls_ec2_common_tags, { diff --git a/all_controls/elasticache.sp b/all_controls/elasticache.sp index 116275d1..c1deb37b 100644 --- a/all_controls/elasticache.sp +++ b/all_controls/elasticache.sp @@ -12,8 +12,8 @@ benchmark "all_controls_elasticache" { control.elasticache_cluster_no_default_subnet_group, control.elasticache_redis_cluster_automatic_backup_retention_15_days, control.elasticache_replication_group_auto_failover_enabled, - control.elasticache_replication_group_encryption_at_rest_enabled_with_kms_cmk, control.elasticache_replication_group_encryption_at_rest_enabled, + control.elasticache_replication_group_encryption_at_rest_enabled_with_kms_cmk, control.elasticache_replication_group_encryption_in_transit_enabled, control.elasticache_replication_group_redis_auth_enabled ] diff --git a/all_controls/s3.sp b/all_controls/s3.sp index c569b9dc..2c240848 100644 --- a/all_controls/s3.sp +++ b/all_controls/s3.sp @@ -10,8 +10,8 @@ benchmark "all_controls_s3" { children = [ control.s3_bucket_acls_should_prohibit_user_access, control.s3_bucket_cross_region_replication_enabled, - control.s3_bucket_default_encryption_enabled_kms, control.s3_bucket_default_encryption_enabled, + control.s3_bucket_default_encryption_enabled_kms, control.s3_bucket_enforces_ssl, control.s3_bucket_event_notifications_enabled, control.s3_bucket_lifecycle_policy_enabled, @@ -29,8 +29,8 @@ benchmark "all_controls_s3" { control.s3_bucket_versioning_and_lifecycle_policy_enabled, control.s3_bucket_versioning_enabled, control.s3_public_access_block_account, - control.s3_public_access_block_bucket_account, - control.s3_public_access_block_bucket + control.s3_public_access_block_bucket, + control.s3_public_access_block_bucket_account ] tags = merge(local.all_controls_s3_common_tags, { diff --git a/all_controls/vpc.sp b/all_controls/vpc.sp index 68d21ccc..c7e4f86d 100644 --- a/all_controls/vpc.sp +++ b/all_controls/vpc.sp @@ -28,9 +28,9 @@ benchmark "all_controls_vpc" { control.vpc_security_group_allows_ingress_to_oracle_ports, control.vpc_security_group_associated_to_eni, control.vpc_security_group_not_uses_launch_wizard_sg, + control.vpc_security_group_remote_administration, control.vpc_security_group_remote_administration_ipv4, control.vpc_security_group_remote_administration_ipv6, - control.vpc_security_group_remote_administration, control.vpc_security_group_restrict_ingress_common_ports_all, control.vpc_security_group_restrict_ingress_kafka_port, control.vpc_security_group_restrict_ingress_kibana_port, diff --git a/conformance_pack/ec2.sp b/conformance_pack/ec2.sp index 0d270e6a..ce0d4f77 100644 --- a/conformance_pack/ec2.sp +++ b/conformance_pack/ec2.sp @@ -286,7 +286,7 @@ control "ec2_ami_restrict_public_access" { control "ec2_instance_no_iam_role_with_management_level_access" { title = "EC2 instance IAM role should not allow management level access" - description = "This control ensures that EC2 instance IAM role does not not allow management level access." + description = "This control ensures that EC2 instance IAM role does not allow management level access." query = query.ec2_instance_no_iam_role_with_management_level_access tags = local.conformance_pack_ec2_common_tags @@ -382,7 +382,7 @@ control "ec2_instance_no_iam_role_with_alter_critical_s3_permissions_configurati control "ec2_instance_no_iam_role_with_destruction_kms_access" { title = "EC2 instance IAM role should not allow destruction KMS access" - description = "This control ensures that EC2 instance IAM roles does not allow destruction KMS access." + description = "This control ensures that EC2 instance IAM roles do not allow destruction KMS access." query = query.ec2_instance_no_iam_role_with_destruction_kms_access tags = local.conformance_pack_ec2_common_tags @@ -390,7 +390,7 @@ control "ec2_instance_no_iam_role_with_destruction_kms_access" { control "ec2_instance_no_iam_role_with_destruction_rds_access" { title = "EC2 instance IAM role should not allow destruction RDS access" - description = "This control ensures that EC2 instance IAM roles does not allow destruction RDS access." + description = "This control ensures that EC2 instance IAM roles do not allow destruction RDS access." query = query.ec2_instance_no_iam_role_with_destruction_rds_access tags = local.conformance_pack_ec2_common_tags @@ -398,7 +398,7 @@ control "ec2_instance_no_iam_role_with_destruction_rds_access" { control "ec2_instance_no_iam_role_with_cloud_log_tampering_access" { title = "EC2 instance IAM role should not allow cloud log tampering access" - description = "This control ensures that EC2 instance IAM roles does not allow cloud log tampering access." + description = "This control ensures that EC2 instance IAM roles do not allow cloud log tampering access." query = query.ec2_instance_no_iam_role_with_cloud_log_tampering_access tags = local.conformance_pack_ec2_common_tags @@ -406,7 +406,7 @@ control "ec2_instance_no_iam_role_with_cloud_log_tampering_access" { control "ec2_instance_no_iam_role_with_write_permission_on_critical_s3_configuration" { title = "EC2 instance IAM role should not allow write permission on critical s3 configuration" - description = "This control ensures that EC2 instance IAM roles does not allow write permission on critical s3 configuration." + description = "This control ensures that EC2 instance IAM roles do not allow write permission on critical s3 configuration." query = query.ec2_instance_no_iam_role_with_write_permission_on_critical_s3_configuration tags = local.conformance_pack_ec2_common_tags @@ -414,7 +414,7 @@ control "ec2_instance_no_iam_role_with_write_permission_on_critical_s3_configura control "ec2_instance_no_iam_role_with_security_group_write_access" { title = "EC2 instance IAM role should not allow security group write access" - description = "This control ensures that EC2 instance IAM roles does not allow security group write access." + description = "This control ensures that EC2 instance IAM roles do not allow security group write access." query = query.ec2_instance_no_iam_role_with_security_group_write_access tags = local.conformance_pack_ec2_common_tags @@ -927,7 +927,7 @@ query "ec2_instance_no_iam_role_with_management_level_access" { from aws_ec2_instance as i left join iam_roles as r on r.intance_arn = i.arn - left join iam_role_with_permission as p on p.arn = r.role_arn + left join iam_role_with_permission as p on p.arn = r.role_arn; EOQ } @@ -1004,7 +1004,7 @@ query "ec2_instance_no_iam_with_write_level_access" { and s ->> 'Effect' = 'Allow' and service = 'ec2.amazonaws.com' and ( - (action in ('iam:addclientidtoopenidconnectprovider','iam:addroletoinstanceprofile','iam:addusertogroup','iam:changepassword','iam:createaccesskey','iam:createaccountalias','iam:creategroup','iam:createinstanceprofile','iam:createloginprofile','iam:createopenidconnectprovider','iam:createrole','iam:createsamlprovider','iam:createservicelinkedrole','iam:createservicespecificcredential','iam:createuser','iam:createvirtualmfadevice','iam:deactivatemfadevice','iam:deleteaccesskey','iam:deleteaccountalias','iam:deletegroup','iam:deleteinstanceprofile','iam:deleteloginprofile','iam:deleteopenidconnectprovider','iam:deleterole','iam:deletesamlprovider','iam:deletesshpublickey','iam:deleteservercertificate','iam:deleteservicelinkedrole','iam:deleteservicespecificcredential','iam:deletesigningcertificate','iam:deleteUser','iam:deletevirtualmfadevice','iam:enablemfadevice','iam:passrole','iam:removeclientidfromopenidconnectprovider','iam:removerolefrominstanceprofile','iam:removeuserfromgroup','iam:resetservicespecificcredential','iam:resyncmfadevice','iam:setsecuritytokenservicepreferences','iam:updateaccesskey','iam:updateaccountpasswordpolicy','iam:updategroup','iam:updateloginprofile','iam:updateopenidconnectproviderthumbprint','iam:updaterole','iam:updateroledescription','iam:updatesamlprovider','iam:updatesshpublicKey','iam:updateservercertificate','iam:updateservicespecificcredential','iam:updatesigningcertificate','iam:updateuser','iam:uploadsshpublicKey','iam:uploadservercertificate','iam:uploadsigningcertificate' ,'*:*') + (action in ('iam:addclientidtoopenidconnectprovider','iam:addroletoinstanceprofile','iam:addusertogroup','iam:changepassword','iam:createaccesskey','iam:createaccountalias','iam:creategroup','iam:createinstanceprofile','iam:createloginprofile','iam:createopenidconnectprovider','iam:createrole','iam:createsamlprovider','iam:createservicelinkedrole','iam:createservicespecificcredential','iam:createuser','iam:createvirtualmfadevice','iam:deactivatemfadevice','iam:deleteaccesskey','iam:deleteaccountalias','iam:deletegroup','iam:deleteinstanceprofile','iam:deleteloginprofile','iam:deleteopenidconnectprovider','iam:deleterole','iam:deletesamlprovider','iam:deletesshpublickey','iam:deleteservercertificate','iam:deleteservicelinkedrole','iam:deleteservicespecificcredential','iam:deletesigningcertificate','iam:deleteUser','iam:deletevirtualmfadevice','iam:enablemfadevice','iam:passrole','iam:removeclientidfromopenidconnectprovider','iam:removerolefrominstanceprofile','iam:removeuserfromgroup','iam:resetservicespecificcredential','iam:resyncmfadevice','iam:setsecuritytokenservicepreferences','iam:updateaccesskey','iam:updateaccountpasswordpolicy','iam:updategroup','iam:updateloginprofile','iam:updateopenidconnectproviderthumbprint','iam:updaterole','iam:updateroledescription','iam:updatesamlprovider','iam:updatesshpublicKey','iam:updateservercertificate','iam:updateservicespecificcredential','iam:updatesigningcertificate','iam:updateuser','iam:uploadsshpublicKey','iam:uploadservercertificate','iam:uploadsigningcertificate','*:*') ) ) ) @@ -1052,7 +1052,7 @@ query "ec2_instance_no_iam_role_with_database_management_write_access" { and s ->> 'Effect' = 'Allow' and service = 'ec2.amazonaws.com' and ( - (action in ('rds:modifydbcluster','rds:modifydbclusterendpoint','rds:modifydbinstance','rds:modifydbsnapshot','rds:modifyglobalcluster','dynamodb:updateitem','dynamodb:updatetable','memorydb:updatecluster','neptune-db:resetdatabase','neptune-db:writedataviaquery','docdb-elastic:updatecluster','elasticache:modifycachecluster','cassandra:alter','cassandra:modify','qldb:executestatement','qldb:partiqlupdate','qldb:sendcommand','qldb:updateledger','redshift:modifycluster','redshift:modifyclustersnapshot','redshift:modifyendpointaccess','timestream:updatedatabase','timestream:updatetable','timestream:writerecords', '*:*') + (action in ('rds:modifydbcluster','rds:modifydbclusterendpoint','rds:modifydbinstance','rds:modifydbsnapshot','rds:modifyglobalcluster','dynamodb:updateitem','dynamodb:updatetable','memorydb:updatecluster','neptune-db:resetdatabase','neptune-db:writedataviaquery','docdb-elastic:updatecluster','elasticache:modifycachecluster','cassandra:alter','cassandra:modify','qldb:executestatement','qldb:partiqlupdate','qldb:sendcommand','qldb:updateledger','redshift:modifycluster','redshift:modifyclustersnapshot','redshift:modifyendpointaccess','timestream:updatedatabase','timestream:updatetable','timestream:writerecords','*:*') ) ) ) @@ -1100,7 +1100,7 @@ query "ec2_instance_no_iam_role_with_org_write_access" { and s ->> 'Effect' = 'Allow' and service = 'ec2.amazonaws.com' and ( - (action in ('organizations:accepthandshake','organizations:attachpolicy','organizations:cancelhandshake','organizations:createaccount','organizations:creategovcloudaccount','organizations:createorganization','organizations:createorganizationalunit','organizations:createpolicy','organizations:declinehandshake','organizations:deleteorganization','organizations:deleteorganizationalunit','organizations:deletepolicy','organizations:deregisterdelegatedadministrator','organizations:detachpolicy','organizations:disableawsserviceaccess','organizations:disablepolicytype','organizations:enableawsserviceaccess','organizations:enableallfeatures','organizations:enablepolicytype','organizations:inviteaccounttoorganization','organizations:Leaveorganization','organizations:moveaccount','organizations:registerdelegatedadministrator','organizations:removeaccountfromorganization','organizations:updateorganizationalunit','organizations:updatepolicy', '*:*') + (action in ('organizations:accepthandshake','organizations:attachpolicy','organizations:cancelhandshake','organizations:createaccount','organizations:creategovcloudaccount','organizations:createorganization','organizations:createorganizationalunit','organizations:createpolicy','organizations:declinehandshake','organizations:deleteorganization','organizations:deleteorganizationalunit','organizations:deletepolicy','organizations:deregisterdelegatedadministrator','organizations:detachpolicy','organizations:disableawsserviceaccess','organizations:disablepolicytype','organizations:enableawsserviceaccess','organizations:enableallfeatures','organizations:enablepolicytype','organizations:inviteaccounttoorganization','organizations:Leaveorganization','organizations:moveaccount','organizations:registerdelegatedadministrator','organizations:removeaccountfromorganization','organizations:updateorganizationalunit','organizations:updatepolicy','*:*') ) ) ) @@ -1334,7 +1334,7 @@ query "ec2_instance_no_iam_role_with_write_access_to_resource_based_policies" { and s ->> 'Effect' = 'Allow' and service = 'ec2.amazonaws.com' and action in ( - 'ecr:setrepositorypolicy','serverlessrepo:putapplicationpolicy','backup:putbackupvaultaccesspolicy','efs:putfilesystempolicy','glacier:setvaultaccesspolicy','secretsmanager:putresourcepolicy','events:putpermission','mediastore:putcontainerpolicy','glue:putresourcepolicy','ses:putidentitypolicy','lambda:addpermission','lambda:addlayerversionpermission','s3:putbucketpolicy','s3:putbucketacl','s3:putObject','s3:putobjectacl','kms:creategrant','kms:putkeypolicy','es:Updateelasticsearchdomainconfig','sns:addpermission','sqs:addpermission', '*:*' + 'ecr:setrepositorypolicy','serverlessrepo:putapplicationpolicy','backup:putbackupvaultaccesspolicy','efs:putfilesystempolicy','glacier:setvaultaccesspolicy','secretsmanager:putresourcepolicy','events:putpermission','mediastore:putcontainerpolicy','glue:putresourcepolicy','ses:putidentitypolicy','lambda:addpermission','lambda:addlayerversionpermission','s3:putbucketpolicy','s3:putbucketacl','s3:putObject','s3:putobjectacl','kms:creategrant','kms:putkeypolicy','es:Updateelasticsearchdomainconfig','sns:addpermission','sqs:addpermission','*:*' ) ) select @@ -1381,7 +1381,7 @@ query "ec2_instance_no_iam_role_attached_with_credentials_exposure_access" { and s ->> 'Effect' = 'Allow' and service = 'ec2.amazonaws.com' and action in ( - 'chime:createapikey', 'codepipeline:pollforjobs', 'cognito-identity:getopenidtoken', 'cognito-identity:getopenidtokenfordeveloperidentity', 'cognito-identity:getcredentialsforidentity', 'connect:getfederationtoken', 'connect:getfederationtokens', 'ec2:getpassworddata', 'ecr:getauthorizationtoken', 'gamelift:requestuploadcredentials', 'iam:createaccesskey', 'iam:createloginprofile', 'iam:createservicespecificcredential', 'iam:resetservicespecificcredential', 'iam:updateaccesskey', 'lightsail:getinstanceaccessdetails', 'lightsail:getrelationaldatabasemasteruserpassword', 'rds-db:connect', 'redshift:getclustercredentials', 'sso:getrolecredentials', 'mediapackage:rotatechannelcredentials', 'mediapackage:rotateingestendpointcredentials', 'sts:assumerole', 'sts:assumerolewithsaml', 'sts:assumerolewithwebidentity', 'sts:getfederationtoken', 'sts:getsessiontoken', '*:*' + 'chime:createapikey', 'codepipeline:pollforjobs', 'cognito-identity:getopenidtoken', 'cognito-identity:getopenidtokenfordeveloperidentity', 'cognito-identity:getcredentialsforidentity', 'connect:getfederationtoken', 'connect:getfederationtokens', 'ec2:getpassworddata', 'ecr:getauthorizationtoken', 'gamelift:requestuploadcredentials', 'iam:createaccesskey', 'iam:createloginprofile', 'iam:createservicespecificcredential', 'iam:resetservicespecificcredential', 'iam:updateaccesskey', 'lightsail:getinstanceaccessdetails', 'lightsail:getrelationaldatabasemasteruserpassword', 'rds-db:connect', 'redshift:getclustercredentials', 'sso:getrolecredentials', 'mediapackage:rotatechannelcredentials', 'mediapackage:rotateingestendpointcredentials', 'sts:assumerole', 'sts:assumerolewithsaml', 'sts:assumerolewithwebidentity', 'sts:getfederationtoken', 'sts:getsessiontoken','*:*' ) ) select @@ -1428,7 +1428,7 @@ query "ec2_instance_no_iam_role_with_alter_critical_s3_permissions_configuration and s ->> 'Effect' = 'Allow' and service = 'ec2.amazonaws.com' and action in ( - 's3:putobjectretention','s3:putlifecycleconfiguration','s3:putbucketpolicy','s3:putbucketversioning', '*:*' + 's3:putobjectretention','s3:putlifecycleconfiguration','s3:putbucketpolicy','s3:putbucketversioning','*:*' ) ) select @@ -1474,7 +1474,7 @@ query "ec2_instance_no_iam_role_with_destruction_kms_access" { arn in (select role_arn from iam_roles) and s ->> 'Effect' = 'Allow' and service = 'ec2.amazonaws.com' - and action in ('secretsmanager:getsecretvalue', 'kms:decrypt', '*:*') + and action in ('secretsmanager:getsecretvalue', 'kms:decrypt', '*:*') ) select i.arn as resource, @@ -1564,7 +1564,7 @@ query "ec2_instance_no_iam_role_with_cloud_log_tampering_access" { arn in (select role_arn from iam_roles) and s ->> 'Effect' = 'Allow' and service = 'ec2.amazonaws.com' - and action in ( 'cloudtrail:deletetrail','cloudtrail:puteventselectors','cloudtrail:stoplogging','ec2:deleteflowlogs','s3:putbucketlogging','logs:deletelogstream','logs:deleteloggroup','waf:deleteloggingconfiguration','waf:putloggingconfiguration', '*:*') + and action in ( 'cloudtrail:deletetrail','cloudtrail:puteventselectors','cloudtrail:stoplogging','ec2:deleteflowlogs','s3:putbucketlogging','logs:deletelogstream','logs:deleteloggroup','waf:deleteloggingconfiguration','waf:putloggingconfiguration','*:*') ) select i.arn as resource, @@ -1609,7 +1609,7 @@ query "ec2_instance_no_iam_role_with_write_permission_on_critical_s3_configurati arn in (select role_arn from iam_roles) and s ->> 'Effect' = 'Allow' and service = 'ec2.amazonaws.com' - and action in ( 's3:putobjectretention','s3:putlifecycleconfiguration','s3:putbucketpolicy','s3:putbucketversioning', '*:*') + and action in ( 's3:putobjectretention','s3:putlifecycleconfiguration','s3:putbucketpolicy','s3:putbucketversioning','*:*') ) select i.arn as resource, @@ -1654,7 +1654,7 @@ query "ec2_instance_no_iam_role_with_security_group_write_access" { arn in (select role_arn from iam_roles) and s ->> 'Effect' = 'Allow' and service = 'ec2.amazonaws.com' - and action in ( 'rds:createdbsecuritygroup','rds:deletedbsecuritygroup','rds:revokedbsecuritygroupingress','ec2:authorizesecuritygroupegress','ec2:authorizesecuritygroupingress','ec2:createsecuritygroup','ec2:deletesecuritygroup','ec2:modifysecuritygrouprules','ec2:revokesecuritygroupegress','ec2:revokesecuritygroupingress','elasticloadbalancing:applysecuritygroupsToLoadbalancer','elasticloadbalancing:setsecuritygroups','redshift:authorizeclustersecuritygroupingress','redshift:createclustersecuritygroup','redshift:deleteclustersecuritygroup', '*:*') + and action in ( 'rds:createdbsecuritygroup','rds:deletedbsecuritygroup','rds:revokedbsecuritygroupingress','ec2:authorizesecuritygroupegress','ec2:authorizesecuritygroupingress','ec2:createsecuritygroup','ec2:deletesecuritygroup','ec2:modifysecuritygrouprules','ec2:revokesecuritygroupegress','ec2:revokesecuritygroupingress','elasticloadbalancing:applysecuritygroupsToLoadbalancer','elasticloadbalancing:setsecuritygroups','redshift:authorizeclustersecuritygroupingress','redshift:createclustersecuritygroup','redshift:deleteclustersecuritygroup','*:*') ) select i.arn as resource, @@ -1699,7 +1699,7 @@ query "ec2_instance_no_iam_role_with_defense_evasion_impact_of_aws_security_serv arn in (select role_arn from iam_roles) and s ->> 'Effect' = 'Allow' and service = 'ec2.amazonaws.com' - and action in ( 'guardduty:updatedetector','guardduty:deletedetector','guardduty:deletemembers','guardduty:updatefilter','guardduty:deletefilter','shield:disableapplicationlayerautomaticresponse','shield:updateprotectiongroup','shield:deletesubscription','detective:disassociatemembership','detective:deletemembers','inspector:disable','config:stopconfigurationrecorder','config:deleteconfigurationrecorder','config:deleteconfigrule','config:deleteorganizationconfigrule','cloudwatch:disablealarmactions','cloudwatch:disableinsightrules', '*:*') + and action in ( 'guardduty:updatedetector','guardduty:deletedetector','guardduty:deletemembers','guardduty:updatefilter','guardduty:deletefilter','shield:disableapplicationlayerautomaticresponse','shield:updateprotectiongroup','shield:deletesubscription','detective:disassociatemembership','detective:deletemembers','inspector:disable','config:stopconfigurationrecorder','config:deleteconfigurationrecorder','config:deleteconfigrule','config:deleteorganizationconfigrule','cloudwatch:disablealarmactions','cloudwatch:disableinsightrules','*:*') ) select i.arn as resource, @@ -1789,7 +1789,7 @@ query "ec2_instance_no_iam_passrole_and_lambda_invoke_function_access" { arn in (select role_arn from iam_roles) and s ->> 'Effect' = 'Allow' and service = 'ec2.amazonaws.com' - and action in ( 'iam:passrole','lambda:createfunction', 'lambda:invokefunction' ,'*:*') + and action in ( 'iam:passrole','lambda:createfunction', 'lambda:invokefunction','*:*') ) select i.arn as resource, diff --git a/conformance_pack/elb.sp b/conformance_pack/elb.sp index c8ce2870..7fc462e2 100644 --- a/conformance_pack/elb.sp +++ b/conformance_pack/elb.sp @@ -1021,7 +1021,7 @@ query "elb_classic_lb_no_registered_instance" { when jsonb_array_length(instances) = 0 then 'alarm' else 'ok' end as status, - title || ' has ' || jsonb_array_length(instances) || ' instances registered.' as reason + title || ' has ' || jsonb_array_length(instances) || ' instance(s) registered.' as reason ${local.tag_dimensions_sql} ${local.common_dimensions_sql} from diff --git a/conformance_pack/kinesis.sp b/conformance_pack/kinesis.sp index d1ea21be..464f7b3a 100644 --- a/conformance_pack/kinesis.sp +++ b/conformance_pack/kinesis.sp @@ -76,11 +76,11 @@ query "kinesis_firehose_delivery_stream_server_side_encryption_enabled" { select arn as resource, case - when delivery_stream_encryption_configuration ->> 'Status' = 'ENABLED' then 'ok' + when delivery_stream_encryption_configuration ->> 'Status' = 'ENABLED' then 'ok' else 'alarm' end as status, case - when delivery_stream_encryption_configuration ->> 'Status' = 'ENABLED' then title || ' server side encryption enabled.' + when delivery_stream_encryption_configuration ->> 'Status' = 'ENABLED' then title || ' server side encryption enabled.' else title || ' server side encryption disabled.' end as reason ${local.tag_dimensions_sql} diff --git a/conformance_pack/sns.sp b/conformance_pack/sns.sp index c2b45742..e233fc7c 100644 --- a/conformance_pack/sns.sp +++ b/conformance_pack/sns.sp @@ -48,7 +48,7 @@ control "sns_topic_notification_delivery_status_enabled" { control "sns_topic_policy_prohibit_publishing_access" { title = "SNS topic policies should prohibit publishing access" - description = "Manage access to resources in the AWS Cloud by ensuring SNS topics cannot accessed publicly for publishing." + description = "Manage access to resources in the AWS Cloud by ensuring SNS topics cannot be accessed publicly for publishing." query = query.sns_topic_policy_prohibit_publishing_access tags = local.conformance_pack_sns_common_tags @@ -56,7 +56,7 @@ control "sns_topic_policy_prohibit_publishing_access" { control "sns_topic_policy_prohibit_subscription_access" { title = "SNS topic policies should prohibit subscription public access" - description = "Manage access to resources in the AWS Cloud by ensuring SNS topics cannot accessed publicly for subscription." + description = "Manage access to resources in the AWS Cloud by ensuring SNS topics cannot be accessed publicly for subscription." query = query.sns_topic_policy_prohibit_subscription_access tags = local.conformance_pack_sns_common_tags @@ -182,8 +182,7 @@ query "sns_topic_policy_prohibit_publishing_access" { end as status, case when p.topic_arn is null then title || ' does not allow publish access without condition.' - else title || ' contains ' || coalesce(p.statements_num,0) || - ' statements that allows publish access without condition.' + else title || ' contains ' || coalesce(p.statements_num,0) || ' statements that allows publish access without condition.' end as reason ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "t.")} ${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "t.")} @@ -222,8 +221,7 @@ query "sns_topic_policy_prohibit_subscription_access" { end as status, case when p.topic_arn is null then title || ' does not allow subscribe access without condition.' - else title || ' contains ' || coalesce(p.statements_num,0) || - ' statements that allows subscribe access without condition.' + else title || ' contains ' || coalesce(p.statements_num,0) || ' statements that allows subscribe access without condition.' end as reason ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "t.")} ${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "t.")} @@ -261,8 +259,7 @@ query "sns_topic_policy_prohibit_cross_account_access" { end as status, case when p.topic_arn is null then title || ' does not allow cross account access.' - else title || ' contains ' || coalesce(p.statements_num,0) || - ' statements that allows cross account access.' + else title || ' contains ' || coalesce(p.statements_num,0) || ' statements that allows cross account access.' end as reason ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "t.")} ${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "t.")} diff --git a/conformance_pack/vpc.sp b/conformance_pack/vpc.sp index 0b8f0b9c..ac6e1758 100644 --- a/conformance_pack/vpc.sp +++ b/conformance_pack/vpc.sp @@ -1825,7 +1825,7 @@ query "vpc_not_in_use" { ${local.common_dimensions_sql} from aws_vpc as v - left join vpc_without_subnet as s on s.vpc_id = v.vpc_id + left join vpc_without_subnet as s on s.vpc_id = v.vpc_id; EOQ } From 6ee5fe70a2ddb8e34703fa819021c86d422283b9 Mon Sep 17 00:00:00 2001 From: Madhushree Ray Date: Thu, 4 Jan 2024 15:31:34 +0530 Subject: [PATCH 24/25] update --- all_controls/ec2.sp | 2 +- conformance_pack/ec2.sp | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/all_controls/ec2.sp b/all_controls/ec2.sp index afb4050a..1d8f1e31 100644 --- a/all_controls/ec2.sp +++ b/all_controls/ec2.sp @@ -47,7 +47,7 @@ benchmark "all_controls_ec2" { control.ec2_instance_virtualization_type_no_paravirtual, control.ec2_launch_template_not_publicly_accessible, control.ec2_stopped_instance_30_days, - control.ec2_transit_gateway_auto_cross_account_attachment_disabled, + control.ec2_transit_gateway_auto_cross_account_attachment_disabled ] tags = merge(local.all_controls_ec2_common_tags, { diff --git a/conformance_pack/ec2.sp b/conformance_pack/ec2.sp index ce0d4f77..11fa9a95 100644 --- a/conformance_pack/ec2.sp +++ b/conformance_pack/ec2.sp @@ -1334,7 +1334,7 @@ query "ec2_instance_no_iam_role_with_write_access_to_resource_based_policies" { and s ->> 'Effect' = 'Allow' and service = 'ec2.amazonaws.com' and action in ( - 'ecr:setrepositorypolicy','serverlessrepo:putapplicationpolicy','backup:putbackupvaultaccesspolicy','efs:putfilesystempolicy','glacier:setvaultaccesspolicy','secretsmanager:putresourcepolicy','events:putpermission','mediastore:putcontainerpolicy','glue:putresourcepolicy','ses:putidentitypolicy','lambda:addpermission','lambda:addlayerversionpermission','s3:putbucketpolicy','s3:putbucketacl','s3:putObject','s3:putobjectacl','kms:creategrant','kms:putkeypolicy','es:Updateelasticsearchdomainconfig','sns:addpermission','sqs:addpermission','*:*' + 'ecr:setrepositorypolicy','serverlessrepo:putapplicationpolicy','backup:putbackupvaultaccesspolicy','efs:putfilesystempolicy','glacier:setvaultaccesspolicy','secretsmanager:putresourcepolicy','events:putpermission','mediastore:putcontainerpolicy','glue:putresourcepolicy','ses:putidentitypolicy','lambda:addpermission','lambda:addlayerversionpermission','s3:putbucketpolicy','s3:putbucketacl','s3:putObject','s3:putobjectacl','kms:creategrant','kms:putkeypolicy','es:Updateelasticsearchdomainconfig','sns:addpermission','sqs:addpermission','*:*' ) ) select @@ -1609,7 +1609,7 @@ query "ec2_instance_no_iam_role_with_write_permission_on_critical_s3_configurati arn in (select role_arn from iam_roles) and s ->> 'Effect' = 'Allow' and service = 'ec2.amazonaws.com' - and action in ( 's3:putobjectretention','s3:putlifecycleconfiguration','s3:putbucketpolicy','s3:putbucketversioning','*:*') + and action in ('s3:putobjectretention','s3:putlifecycleconfiguration','s3:putbucketpolicy','s3:putbucketversioning','*:*') ) select i.arn as resource, @@ -1789,7 +1789,7 @@ query "ec2_instance_no_iam_passrole_and_lambda_invoke_function_access" { arn in (select role_arn from iam_roles) and s ->> 'Effect' = 'Allow' and service = 'ec2.amazonaws.com' - and action in ( 'iam:passrole','lambda:createfunction', 'lambda:invokefunction','*:*') + and action in ( 'iam:passrole','lambda:createfunction', 'lambda:invokefunction', '*:*') ) select i.arn as resource, @@ -1808,4 +1808,4 @@ query "ec2_instance_no_iam_passrole_and_lambda_invoke_function_access" { left join iam_roles as r on r.intance_arn = i.arn left join iam_role_with_permission as p on p.arn = r.role_arn; EOQ -} \ No newline at end of file +} From d86d93e436cc2654c38aa940eb2406fc04fa85a5 Mon Sep 17 00:00:00 2001 From: Madhushree Ray Date: Thu, 4 Jan 2024 15:33:59 +0530 Subject: [PATCH 25/25] update --- all_controls/config.sp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/all_controls/config.sp b/all_controls/config.sp index 913ed322..22ecf9f8 100644 --- a/all_controls/config.sp +++ b/all_controls/config.sp @@ -8,7 +8,7 @@ benchmark "all_controls_config" { title = "Config" description = "This section contains recommendations for configuring Config resources." children = [ - control.config_configuration_recorder_no_failed_deliver_logs + control.config_configuration_recorder_no_failed_deliver_logs, control.config_enabled_all_regions ]