-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This PR includes: - ❇️ **Enhanced support for CIS AWS Foundations Benchmark v1.5.0**. Now any benchmark items with automation capability can be detected with newer prebundle workflow manifests. - ❇️ **Enhanced support for CIS Google Cloud Platform Foundations Benchmark**. Now any benchmark items with automation capability can be detected with newer prebundle workflow manifests. --- See changes for details.
- Loading branch information
1 parent
5fd7308
commit a3f9b62
Showing
278 changed files
with
23,105 additions
and
266 deletions.
There are no files selected for viewing
Submodule rego
updated
96 files
25 changes: 25 additions & 0 deletions
25
workflows/cis-benchmark/aws-v1.5.0/cloudtrail/cloudwatch-logs-integration/decide.graphql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
{ | ||
aws { | ||
accounts { | ||
cloudTrail { | ||
trails { | ||
metadata { | ||
id | ||
displayName | ||
} | ||
cloudWatchLogGroup { | ||
arn | ||
} | ||
status { | ||
latestCloudWatchLogsDeliveredAt | ||
} | ||
|
||
tags { | ||
key | ||
value | ||
} | ||
} | ||
} | ||
} | ||
} | ||
} |
56 changes: 56 additions & 0 deletions
56
workflows/cis-benchmark/aws-v1.5.0/cloudtrail/cloudwatch-logs-integration/decide.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
package policy.aws.cloudtrail.cloudwatch_logs_integration | ||
|
||
import data.shisho | ||
|
||
# this policy checks if the CloudWatch has not logged within the last 1 day | ||
# please adjust the `must_alert_if_not_log_for` variable depending on your needs | ||
must_alert_if_not_log_for := 1 | ||
|
||
decisions[d] { | ||
account := input.aws.accounts[_] | ||
trail := account.cloudTrail.trails[_] | ||
|
||
allowed := has_logs_within_recent_days(trail) | ||
d := shisho.decision.aws.cloudtrail.cloudwatch_logs_integration({ | ||
"allowed": allow_if_excluded(allowed, trail), | ||
"subject": trail.metadata.id, | ||
"payload": shisho.decision.aws.cloudtrail.cloudwatch_logs_integration_payload({"integrated": allowed}), | ||
}) | ||
} | ||
|
||
has_logs_within_recent_days(trail) { | ||
trail.status.latestCloudWatchLogsDeliveredAt == null | ||
} else { | ||
# There is a log group associated with the trail | ||
trail.cloudWatchLogGroup.arn != "" | ||
|
||
# The log delivery is still active within the specified days | ||
lat := timestamp_ns(trail.status.latestCloudWatchLogsDeliveredAt) | ||
logged_within_recent_days(lat, must_alert_if_not_log_for) | ||
} else = false | ||
|
||
timestamp_ns(t) := 0 { | ||
t == null | ||
} else := time.parse_rfc3339_ns(t) | ||
|
||
logged_within_recent_days(ts, d) { | ||
now := time.now_ns() | ||
diff_ns := now - ts | ||
|
||
# confirm the difference is less than `d` days | ||
diff_ns < (((1000000000 * 60) * 60) * 24) * d | ||
} else = false | ||
|
||
allow_if_excluded(allowed, r) { | ||
data.params != null | ||
|
||
tag := data.params.tag_exceptions[_] | ||
elements := split(tag, "=") | ||
|
||
tag_key := elements[0] | ||
tag_value := concat("=", array.slice(elements, 1, count(elements))) | ||
|
||
t := r.tags[_] | ||
t.key == tag_key | ||
t.value == tag_value | ||
} else := allowed |
76 changes: 76 additions & 0 deletions
76
workflows/cis-benchmark/aws-v1.5.0/cloudtrail/cloudwatch-logs-integration/decide_test.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,76 @@ | ||
package policy.aws.cloudtrail.cloudwatch_logs_integration | ||
|
||
import data.shisho | ||
import future.keywords | ||
|
||
now_ns := time.now_ns() | ||
|
||
today_string := date_string(now_ns) | ||
|
||
two_months_ago_string := date_string(time.add_date(now_ns, 0, -2, 0)) | ||
|
||
date_string(date_ns) := date_as_string if { | ||
date := time.date(date_ns) | ||
date_as_string := sprintf("%d-%s-%sT00:00:00Z", [date[0], format_digit(date[1]), format_digit(date[2])]) | ||
} | ||
|
||
format_digit(digit) = formatted_digit if { | ||
digit < 10 | ||
formatted_digit := sprintf("0%d", [digit]) | ||
} else = sprintf("%d", [digit]) | ||
|
||
test_whether_cloudtrail_is_integrated_with_cloudwatch_logs if { | ||
# check if the CloudTrail is integrated with CloudWatch logs | ||
count([d | | ||
decisions[d] | ||
shisho.decision.is_allowed(d) | ||
]) == 2 with input as {"aws": {"accounts": [{"cloudTrail": {"trails": [ | ||
{ | ||
"metadata": { | ||
"id": "aws-cloudtrail-trail|ap-northeast-1|test-trail-1", | ||
"displayName": "test-trail-1", | ||
}, | ||
"cloudWatchLogGroup": {"arn": "arn:aws:logs:ap-northeast-1:779392177777:log-group:test-trail-1/CloudTrailLogs:*"}, | ||
"status": {"latestCloudWatchLogsDeliveredAt": null}, | ||
}, | ||
{ | ||
"metadata": { | ||
"id": "aws-cloudtrail-trail|ap-northeast-1|test-trail-2", | ||
"displayName": "test-trail-2", | ||
}, | ||
"cloudWatchLogGroup": {"arn": "arn:aws:logs:ap-northeast-1:779392177777:log-group:test-trail-2/CloudTrailLogs:*"}, | ||
"status": {"latestCloudWatchLogsDeliveredAt": today_string}, | ||
}, | ||
]}}]}} | ||
|
||
# check if the CloudTrail is not integrated with CloudWatch logs | ||
count([d | | ||
decisions[d] | ||
not shisho.decision.is_allowed(d) | ||
]) == 3 with input as {"aws": {"accounts": [{"cloudTrail": {"trails": [ | ||
{ | ||
"metadata": { | ||
"id": "aws-cloudtrail-trail|ap-northeast-1|test-trail-1", | ||
"displayName": "test-trail-1", | ||
}, | ||
"cloudWatchLogGroup": {"arn": "arn:aws:logs:ap-northeast-1:779392177777:log-group:test-trail-1/CloudTrailLogs:*"}, | ||
"status": {"latestCloudWatchLogsDeliveredAt": ""}, | ||
}, | ||
{ | ||
"metadata": { | ||
"id": "aws-cloudtrail-trail|ap-northeast-1|test-trail-2", | ||
"displayName": "test-trail-2", | ||
}, | ||
"cloudWatchLogGroup": {"arn": "arn:aws:logs:ap-northeast-1:779392177777:log-group:test-trail-2/CloudTrailLogs:*"}, | ||
"status": {"latestCloudWatchLogsDeliveredAt": two_months_ago_string}, | ||
}, | ||
{ | ||
"metadata": { | ||
"id": "aws-cloudtrail-trail|ap-northeast-1|test-trail-3", | ||
"displayName": "test-trail-3", | ||
}, | ||
"cloudWatchLogGroup": {"arn": ""}, | ||
"status": {"latestCloudWatchLogsDeliveredAt": today_string}, | ||
}, | ||
]}}]}} | ||
} |
20 changes: 20 additions & 0 deletions
20
workflows/cis-benchmark/aws-v1.5.0/cloudtrail/cmk-encryption/decide.graphql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
{ | ||
aws { | ||
accounts { | ||
cloudTrail { | ||
trails { | ||
metadata { | ||
id | ||
displayName | ||
} | ||
kmsKeyId | ||
|
||
tags { | ||
key | ||
value | ||
} | ||
} | ||
} | ||
} | ||
} | ||
} |
28 changes: 28 additions & 0 deletions
28
workflows/cis-benchmark/aws-v1.5.0/cloudtrail/cmk-encryption/decide.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
package policy.aws.cloudtrail.cmk_encryption | ||
|
||
import data.shisho | ||
|
||
decisions[d] { | ||
account := input.aws.accounts[_] | ||
trail := account.cloudTrail.trails[_] | ||
|
||
d := shisho.decision.aws.cloudtrail.cmk_encryption({ | ||
"allowed": allow_if_excluded(trail.kmsKeyId != "", trail), | ||
"subject": trail.metadata.id, | ||
"payload": shisho.decision.aws.cloudtrail.cmk_encryption_payload({"kms_key_id": trail.kmsKeyId}), | ||
}) | ||
} | ||
|
||
allow_if_excluded(allowed, r) { | ||
data.params != null | ||
|
||
tag := data.params.tag_exceptions[_] | ||
elements := split(tag, "=") | ||
|
||
tag_key := elements[0] | ||
tag_value := concat("=", array.slice(elements, 1, count(elements))) | ||
|
||
t := r.tags[_] | ||
t.key == tag_key | ||
t.value == tag_value | ||
} else := allowed |
48 changes: 48 additions & 0 deletions
48
workflows/cis-benchmark/aws-v1.5.0/cloudtrail/cmk-encryption/decide_test.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
package policy.aws.cloudtrail.cmk_encryption | ||
|
||
import data.shisho | ||
import future.keywords | ||
|
||
test_whether_cloudtrail_is_encrypted_by_kms_cmk if { | ||
# check if the CloudTrail is encrypted by KMS CMK | ||
count([d | | ||
decisions[d] | ||
shisho.decision.is_allowed(d) | ||
]) == 2 with input as {"aws": {"accounts": [{"cloudTrail": {"trails": [ | ||
{ | ||
"metadata": { | ||
"id": "aws-cloudtrail-trail|ap-northeast-1|test-trail-1", | ||
"displayName": "test-trail-1", | ||
}, | ||
"kmsKeyId": "arn:aws:kms:ap-northeast-1:779392177777:key/6c7079dc-390c-4724-9e29-920317477777", | ||
}, | ||
{ | ||
"metadata": { | ||
"id": "aws-cloudtrail-trail|ap-northeast-1|test-trail-2", | ||
"displayName": "test-trail-2", | ||
}, | ||
"kmsKeyId": "arn:aws:kms:ap-northeast-1:779392177777:key/6c7079dc-390c-4724-9e29-920317488888", | ||
}, | ||
]}}]}} | ||
|
||
# check if the CloudTrail is not encrypted by KMS CMK | ||
count([d | | ||
decisions[d] | ||
not shisho.decision.is_allowed(d) | ||
]) == 2 with input as {"aws": {"accounts": [{"cloudTrail": {"trails": [ | ||
{ | ||
"metadata": { | ||
"id": "aws-cloudtrail-trail|ap-northeast-1|test-trail-1", | ||
"displayName": "test-trail-1", | ||
}, | ||
"kmsKeyId": "", | ||
}, | ||
{ | ||
"metadata": { | ||
"id": "aws-cloudtrail-trail|ap-northeast-1|test-trail-2", | ||
"displayName": "test-trail-2", | ||
}, | ||
"kmsKeyId": "", | ||
}, | ||
]}}]}} | ||
} |
32 changes: 32 additions & 0 deletions
32
workflows/cis-benchmark/aws-v1.5.0/cloudtrail/log-bucket-accessibility/decide.graphql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
{ | ||
aws { | ||
accounts { | ||
cloudTrail { | ||
trails { | ||
metadata { | ||
id | ||
displayName | ||
} | ||
s3Bucket { | ||
name | ||
aclGrants { | ||
grantee { | ||
displayName | ||
uri | ||
} | ||
permission | ||
} | ||
policy { | ||
rawDocument | ||
} | ||
} | ||
|
||
tags { | ||
key | ||
value | ||
} | ||
} | ||
} | ||
} | ||
} | ||
} |
67 changes: 67 additions & 0 deletions
67
workflows/cis-benchmark/aws-v1.5.0/cloudtrail/log-bucket-accessibility/decide.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
package policy.aws.cloudtrail.log_bucket_accessibility | ||
|
||
import data.shisho | ||
|
||
decisions[d] { | ||
account := input.aws.accounts[_] | ||
trail := account.cloudTrail.trails[_] | ||
|
||
accessible := is_publicly_accessible(trail.s3Bucket) | ||
d := shisho.decision.aws.cloudtrail.log_bucket_accessibility({ | ||
"allowed": allow_if_excluded(accessible == false, trail), | ||
"subject": trail.metadata.id, | ||
"payload": shisho.decision.aws.cloudtrail.log_bucket_accessibility_payload({ | ||
"bucket_name": trail.s3Bucket.name, | ||
"acl_rules": [{ | ||
"grantee_url": grant.grantee.displayName, | ||
"permission": grant.permission, | ||
} | | ||
grant := trail.s3Bucket.aclGrants[_] | ||
], | ||
"bucket_policy_document": trail.s3Bucket.policy.rawDocument, | ||
}), | ||
}) | ||
} | ||
|
||
is_publicly_accessible(s3Bucket) { | ||
has_insecure_acl_grants(s3Bucket.aclGrants) | ||
} else { | ||
has_insecure_bucket_policy(s3Bucket.policy.rawDocument) | ||
} else = false | ||
|
||
has_insecure_acl_grants(grants) { | ||
grant := grants[_] | ||
denied_uris := [ | ||
"https://acs.amazonaws.com/groups/global/AllUsers", | ||
"https://acs.amazonaws.com/groups/global/AuthenticatedUsers", | ||
] | ||
denied_uris[_] == grant.grantee.uri | ||
} else = false | ||
|
||
has_insecure_bucket_policy(raw_document) { | ||
p := json.unmarshal(raw_document) | ||
|
||
statement := p.Statement[_] | ||
statement.Effect == "Allow" | ||
is_public_principal(statement.Principal) | ||
} else = false | ||
|
||
is_public_principal(principal) { | ||
principal == "*" | ||
} else { | ||
principal.AWS == "*" | ||
} else = false | ||
|
||
allow_if_excluded(allowed, r) { | ||
data.params != null | ||
|
||
tag := data.params.tag_exceptions[_] | ||
elements := split(tag, "=") | ||
|
||
tag_key := elements[0] | ||
tag_value := concat("=", array.slice(elements, 1, count(elements))) | ||
|
||
t := r.tags[_] | ||
t.key == tag_key | ||
t.value == tag_value | ||
} else := allowed |
Oops, something went wrong.