release: 2023/08/23

flatt-security · Aug 23, 2023 · e2a4afe · e2a4afe
1 parent 401ff14
commit e2a4afe
Show file tree

Hide file tree

Showing 76 changed files with 1,312 additions and 205 deletions.
diff --git a/sdk/rego b/sdk/rego
diff --git a/workflows/cis-benchmark/aws-v1.5.0/efs/manifest.yaml b/workflows/cis-benchmark/aws-v1.5.0/efs/manifest.yaml
@@ -18,5 +18,10 @@ jobs:
           multiple: true
           description: A special list of resource exceptions
           values: []
+        tag_exceptions:
+          type: string
+          multiple: true
+          description: A list of AWS tags with which resources can have any settings automatically. For instance, if you include `Environment=production` for this value, all resources with `Environment=production` will be allowed automatically.
+          values: []
       input:
         schema: !include volume-encryption/decide.graphql
diff --git a/workflows/cis-benchmark/aws-v1.5.0/efs/volume-encryption/decide.graphql b/workflows/cis-benchmark/aws-v1.5.0/efs/volume-encryption/decide.graphql
@@ -8,6 +8,11 @@ query {
           }
           name
           encrypted
+
+          tags {
+            key
+            value
+          }
         }
       }
     }

diff --git a/workflows/cis-benchmark/aws-v1.5.0/efs/volume-encryption/decide.rego b/workflows/cis-benchmark/aws-v1.5.0/efs/volume-encryption/decide.rego
@@ -7,10 +7,23 @@ decisions[d] {
 	filesystem := account.efs.fileSystems[_]
 
 	encrypted := filesystem.encrypted
-
 	d := shisho.decision.aws.efs.volume_encryption({
-		"allowed": encrypted,
+		"allowed": allow_if_excluded(encrypted, filesystem),
 		"subject": filesystem.metadata.id,
 		"payload": shisho.decision.aws.efs.volume_encryption_payload({"encrypted": encrypted}),
 	})
 }
+
+allow_if_excluded(allowed, r) {
+	data.params != null
+
+	tag := data.params.tag_exceptions[_]
+	elements := split(tag, "=")
+
+	tag_key := elements[0]
+	tag_value := concat("=", array.slice(elements, 1, count(elements)))
+
+	t := r.tags[_]
+	t.key == tag_key
+	t.value == tag_value
+} else := allowed
diff --git a/workflows/cis-benchmark/aws-v1.5.0/efs/volume-encryption/decide_test.rego b/workflows/cis-benchmark/aws-v1.5.0/efs/volume-encryption/decide_test.rego
@@ -4,7 +4,6 @@ import data.shisho
 import future.keywords
 
 test_whether_encryption_is_enabled_for_aws_efs_file_systems if {
-	# check if the encryption is enabled for AWS EFS file systems
 	count([d |
 		decisions[d]
 		shisho.decision.is_allowed(d)
@@ -23,7 +22,6 @@ test_whether_encryption_is_enabled_for_aws_efs_file_systems if {
 		},
 	]}}]}}
 
-	# check if all users is accessible for a Google Cloud BigQuery datasets
 	count([d |
 		decisions[d]
 		not shisho.decision.is_allowed(d)
@@ -41,4 +39,24 @@ test_whether_encryption_is_enabled_for_aws_efs_file_systems if {
 			"encrypted": true,
 		},
 	]}}]}}
+
+	count([d |
+		decisions[d]
+		shisho.decision.is_allowed(d)
+	]) == 2 with input as {"aws": {"accounts": [{"efs": {"fileSystems": [
+		{
+			"metadata": {"id": "aws-efs-filesystem|ap-northeast-1|fs-012583c95abf7777c"},
+			"encrypted": false,
+		},
+		{
+			"metadata": {"id": "aws-efs-filesystem|ap-northeast-1|fs-012583c95abf8888c"},
+			"encrypted": false,
+			"tags": [{"key": "foo", "value": "bar=piyo"}],
+		},
+		{
+			"metadata": {"id": "aws-efs-filesystem|ap-northeast-1|fs-012583c95abf9999c"},
+			"encrypted": true,
+		},
+	]}}]}}
+		with data.params as {"tag_exceptions": ["foo=bar=piyo"]}
 }
diff --git a/workflows/cis-benchmark/aws-v1.5.0/iam/credentials-inventory/decide.graphql b/workflows/cis-benchmark/aws-v1.5.0/iam/credentials-inventory/decide.graphql
@@ -15,6 +15,11 @@
               lastUsedAt
             }
           }
+
+          tags {
+            key
+            value
+          }
         }
       }
     }

diff --git a/workflows/cis-benchmark/aws-v1.5.0/iam/credentials-inventory/decide.rego b/workflows/cis-benchmark/aws-v1.5.0/iam/credentials-inventory/decide.rego
@@ -3,7 +3,7 @@ package policy.aws.iam.credentials_inventory
 import data.shisho
 
 # this policy checks if the credentials are created/used within the last 45 days
-# please adjust the `days_of_accepted_age` variable depending on your needs
+# please adjust the `must_alert_if_unused_for` variable depending on your needs
 must_alert_if_unused_for := 45
 
 decisions[d] {
@@ -20,7 +20,7 @@ decisions[d] {
 	allowed := active
 
 	d := shisho.decision.aws.iam.credentials_inventory({
-		"allowed": allowed,
+		"allowed": allow_if_excluded(allowed, user),
 		"subject": user.metadata.id,
 		"payload": shisho.decision.aws.iam.credentials_inventory_payload({
 			"last_used_at": time.format(lat),
@@ -72,3 +72,17 @@ used_within_recent_days(ts, d) {
 	# True if the difference is less than `d` days
 	diff_ns < (((1000000000 * 60) * 60) * 24) * d
 } else = false
+
+allow_if_excluded(allowed, r) {
+	data.params != null
+
+	tag := data.params.tag_exceptions[_]
+	elements := split(tag, "=")
+
+	tag_key := elements[0]
+	tag_value := concat("=", array.slice(elements, 1, count(elements)))
+
+	t := r.tags[_]
+	t.key == tag_key
+	t.value == tag_value
+} else := allowed
diff --git a/workflows/cis-benchmark/aws-v1.5.0/iam/credentials-inventory/decide_test.rego b/workflows/cis-benchmark/aws-v1.5.0/iam/credentials-inventory/decide_test.rego
@@ -5,31 +5,19 @@ import future.keywords
 
 now_ns := time.now_ns()
 
-now := time.date(now_ns)
+today_string := date_string(now_ns)
 
-today_string := sprintf("%d-%s-%sT00:00:00Z", [now[0], get_month(now[1]), get_day(now[2])])
+two_months_ago_string := date_string(time.add_date(now_ns, 0, -2, 0))
 
-two_months_ago_ns := time.add_date(now_ns, 0, -2, -0)
-
-two_months_ago := time.date(two_months_ago_ns)
-
-two_months_ago_string := sprintf("%d-%s-%sT00:00:00Z", [two_months_ago[0], get_month(two_months_ago[1]), get_day(two_months_ago[2])])
-
-get_month(month) = month_string if {
-	month <= 10
-	month_string := sprintf("0%d", [month])
-} else = month_string if {
-	month > 10
-	month_string := sprintf("%d", [month])
+date_string(date_ns) := date_as_string if {
+	date := time.date(date_ns)
+	date_as_string := sprintf("%d-%s-%sT00:00:00Z", [date[0], format_digit(date[1]), format_digit(date[2])])
 }
 
-get_day(day) := day_string if {
-	day <= 10
-	day_string := sprintf("0%d", [day])
-} else := day_string if {
-	day > 10
-	day_string := sprintf("%d", [day])
-}
+format_digit(digit) = formatted_digit if {
+	digit < 10
+	formatted_digit := sprintf("0%d", [digit])
+} else = sprintf("%d", [digit])
 
 test_whether_the_user_or_access_key_are_used_within_45_days if {
 	# check if the users are created within 45 days
@@ -237,4 +225,32 @@ test_whether_the_user_or_access_key_are_used_within_45_days if {
 			}],
 		},
 	]}}]}}
+
+	# check tag_exceptions works
+	count([d |
+		decisions[d]
+		shisho.decision.is_allowed(d)
+	]) == 1 with input as {"aws": {"accounts": [{"iam": {"users": [
+		{
+			"metadata": {"id": "aws-iam-user|AIDA3K53E73AAAAAAAAAA"},
+			"createdAt": two_months_ago_string,
+			"passwordLastUsedAt": null,
+			"accessKeys": [{
+				"createdAt": two_months_ago_string,
+				"lastUsed": {"lastUsedAt": two_months_ago_string},
+			}],
+			"tags": [{"key": "foo", "value": "bar=piyo"}],
+		},
+		{
+			"metadata": {"id": "aws-iam-user|AIDA3K53E73BBBBBBBBBB"},
+			"createdAt": two_months_ago_string,
+			"passwordLastUsedAt": null,
+			"accessKeys": [{
+				"createdAt": two_months_ago_string,
+				"lastUsed": {"lastUsedAt": two_months_ago_string},
+			}],
+			"tags": [{"key": "foo", "value": "unrelated"}],
+		},
+	]}}]}}
+		with data.params as {"tag_exceptions": ["foo=bar=piyo"]}
 }
diff --git a/workflows/cis-benchmark/aws-v1.5.0/iam/key-rotation/decide.graphql b/workflows/cis-benchmark/aws-v1.5.0/iam/key-rotation/decide.graphql
@@ -12,6 +12,11 @@
               lastUsedAt
             }
           }
+
+          tags {
+            key
+            value
+          }
         }
       }
     }

diff --git a/workflows/cis-benchmark/aws-v1.5.0/iam/key-rotation/decide.rego b/workflows/cis-benchmark/aws-v1.5.0/iam/key-rotation/decide.rego
@@ -15,7 +15,7 @@ decisions[d] {
 	allowed := count(keys) == 0
 
 	d := shisho.decision.aws.iam.key_rotation({
-		"allowed": allowed,
+		"allowed": allow_if_excluded(allowed, user),
 		"subject": user.metadata.id,
 		"payload": shisho.decision.aws.iam.key_rotation_payload({
 			"keys_requiring_rotation": keys,
@@ -52,3 +52,17 @@ needs_rotation(key) {
 	t := time.parse_rfc3339_ns(key.lastUsed.lastUsedAt)
 	now - t > (((1000000000 * 60) * 60) * 24) * days_of_accepted_age
 } else = false
+
+allow_if_excluded(allowed, r) {
+	data.params != null
+
+	tag := data.params.tag_exceptions[_]
+	elements := split(tag, "=")
+
+	tag_key := elements[0]
+	tag_value := concat("=", array.slice(elements, 1, count(elements)))
+
+	t := r.tags[_]
+	t.key == tag_key
+	t.value == tag_value
+} else := allowed
diff --git a/workflows/cis-benchmark/aws-v1.5.0/iam/key-rotation/decide_test.rego b/workflows/cis-benchmark/aws-v1.5.0/iam/key-rotation/decide_test.rego
@@ -5,31 +5,19 @@ import future.keywords
 
 now_ns := time.now_ns()
 
-now := time.date(now_ns)
+today_string := date_string(now_ns)
 
-today_string := sprintf("%d-%s-%sT00:00:00Z", [now[0], get_month(now[1]), get_day(now[2])])
+four_months_ago_string := date_string(time.add_date(now_ns, 0, -4, 0))
 
-four_months_ago_ns := time.add_date(now_ns, 0, -4, -0)
-
-four_months_ago := time.date(four_months_ago_ns)
-
-four_months_ago_string := sprintf("%d-%s-%sT00:00:00Z", [four_months_ago[0], get_month(four_months_ago[1]), get_day(four_months_ago[2])])
-
-get_month(month) = month_string if {
-	month <= 10
-	month_string := sprintf("0%d", [month])
-} else = month_string if {
-	month > 10
-	month_string := sprintf("%d", [month])
+date_string(date_ns) := date_as_string if {
+	date := time.date(date_ns)
+	date_as_string := sprintf("%d-%s-%sT00:00:00Z", [date[0], format_digit(date[1]), format_digit(date[2])])
 }
 
-get_day(day) := day_string if {
-	day <= 10
-	day_string := sprintf("0%d", [day])
-} else := day_string if {
-	day > 10
-	day_string := sprintf("%d", [day])
-}
+format_digit(digit) = formatted_digit if {
+	digit < 10
+	formatted_digit := sprintf("0%d", [digit])
+} else = sprintf("%d", [digit])
 
 test_whether_all_access_keys_are_rotated_within_90_days if {
 	# check if all access keys are used or created within 90 days
@@ -124,4 +112,44 @@ test_whether_all_access_keys_are_rotated_within_90_days if {
 			],
 		},
 	]}}]}}
+
+	# check tag_exceptions works
+	count([d |
+		decisions[d]
+		shisho.decision.is_allowed(d)
+	]) == 1 with input as {"aws": {"accounts": [{"iam": {"users": [
+		{
+			"metadata": {"id": "aws-iam-user|AIDA3K53E73AAAAAAAAAA"},
+			"accessKeys": [
+				{
+					"id": "1",
+					"createdAt": "2021-03-17T11:49:31Z",
+					"lastUsed": {"lastUsedAt": four_months_ago_string},
+				},
+				{
+					"id": "2",
+					"createdAt": "2021-03-17T11:49:31Z",
+					"lastUsed": {"lastUsedAt": today_string},
+				},
+			],
+			"tags": [{"key": "foo", "value": "bar=piyo"}],
+		},
+		{
+			"metadata": {"id": "aws-iam-user|AIDA3K53E73BBBBBBBBBB"},
+			"accessKeys": [
+				{
+					"id": "1",
+					"createdAt": four_months_ago_string,
+					"lastUsed": null,
+				},
+				{
+					"id": "2",
+					"createdAt": "2021-03-17T11:49:31Z",
+					"lastUsed": {"lastUsedAt": today_string},
+				},
+			],
+			"tags": [{"key": "foo", "value": "unrelated"}],
+		},
+	]}}]}}
+		with data.params as {"tag_exceptions": ["foo=bar=piyo"]}
 }
diff --git a/workflows/cis-benchmark/aws-v1.5.0/iam/manifest.yaml b/workflows/cis-benchmark/aws-v1.5.0/iam/manifest.yaml
@@ -18,6 +18,11 @@ jobs:
           multiple: true
           description: A special list of resource exceptions
           values: []
+        tag_exceptions:
+          type: string
+          multiple: true
+          description: A list of AWS tags with which resources can have any settings automatically. For instance, if you include `Environment=production` for this value, all resources with `Environment=production` will be allowed automatically.
+          values: []
       input:
         schema: !include credentials-inventory/decide.graphql
   - id: key-rotation
@@ -30,6 +35,11 @@ jobs:
           multiple: true
           description: A special list of resource exceptions
           values: []
+        tag_exceptions:
+          type: string
+          multiple: true
+          description: A list of AWS tags with which resources can have any settings automatically. For instance, if you include `Environment=production` for this value, all resources with `Environment=production` will be allowed automatically.
+          values: []
       input:
         schema: !include key-rotation/decide.graphql
   - id: password-length
@@ -66,6 +76,11 @@ jobs:
           multiple: true
           description: A special list of resource exceptions
           values: []
+        tag_exceptions:
+          type: string
+          multiple: true
+          description: A list of AWS tags with which resources can have any settings automatically. For instance, if you include `Environment=production` for this value, all resources with `Environment=production` will be allowed automatically.
+          values: []
       input:
         schema: !include permissive-policy-limitation/decide.graphql
   - id: root-user-hardware-mfa
@@ -81,7 +96,7 @@ jobs:
       input:
         schema: !include root-user-hardware-mfa/decide.graphql
   - id: root-user-key
-    name: Review the access keys of users
+    name: Review the access keys of the roor user
     decide:
       rego: !include root-user-key/decide.rego
       with:
@@ -93,7 +108,7 @@ jobs:
       input:
         schema: !include root-user-key/decide.graphql
   - id: root-user-mfa
-    name: Review the usage of MFA devices
+    name: Review the usage of MFA devices of the roor user
     decide:
       rego: !include root-user-mfa/decide.rego
       with: