release: 2023/10/02

workflows/cis-benchmark/aws-v1.5.0/cloudtrail/cloudwatch-logs-integration/decide.graphql

@@ -0,0 +1,25 @@
+{
+  aws {
+    accounts {
+      cloudTrail {
+        trails {
+          metadata {
+            id
+            displayName
+          }
+          cloudWatchLogGroup {
+            arn
+          }
+          status {
+            latestCloudWatchLogsDeliveredAt
+          }
+
+          tags {
+            key
+            value
+          }
+        }
+      }
+    }
+  }
+}

workflows/cis-benchmark/aws-v1.5.0/cloudtrail/cloudwatch-logs-integration/decide.rego

@@ -0,0 +1,56 @@
+package policy.aws.cloudtrail.cloudwatch_logs_integration
+
+import data.shisho
+
+# this policy checks if the CloudWatch has not logged within the last 1 day
+# please adjust the `must_alert_if_not_log_for` variable depending on your needs
+must_alert_if_not_log_for := 1
+
+decisions[d] {
+	account := input.aws.accounts[_]
+	trail := account.cloudTrail.trails[_]
+
+	allowed := has_logs_within_recent_days(trail)
+	d := shisho.decision.aws.cloudtrail.cloudwatch_logs_integration({
+		"allowed": allow_if_excluded(allowed, trail),
+		"subject": trail.metadata.id,
+		"payload": shisho.decision.aws.cloudtrail.cloudwatch_logs_integration_payload({"integrated": allowed}),
+	})
+}
+
+has_logs_within_recent_days(trail) {
+	trail.status.latestCloudWatchLogsDeliveredAt == null
+} else {
+	# There is a log group associated with the trail
+	trail.cloudWatchLogGroup.arn != ""
+
+	# The log delivery is still active within the specified days
+	lat := timestamp_ns(trail.status.latestCloudWatchLogsDeliveredAt)
+	logged_within_recent_days(lat, must_alert_if_not_log_for)
+} else = false
+
+timestamp_ns(t) := 0 {
+	t == null
+} else := time.parse_rfc3339_ns(t)
+
+logged_within_recent_days(ts, d) {
+	now := time.now_ns()
+	diff_ns := now - ts
+
+	# confirm the difference is less than `d` days
+	diff_ns < (((1000000000 * 60) * 60) * 24) * d
+} else = false
+
+allow_if_excluded(allowed, r) {
+	data.params != null
+
+	tag := data.params.tag_exceptions[_]
+	elements := split(tag, "=")
+
+	tag_key := elements[0]
+	tag_value := concat("=", array.slice(elements, 1, count(elements)))
+
+	t := r.tags[_]
+	t.key == tag_key
+	t.value == tag_value
+} else := allowed

workflows/cis-benchmark/aws-v1.5.0/cloudtrail/cloudwatch-logs-integration/decide_test.rego

@@ -0,0 +1,76 @@
+package policy.aws.cloudtrail.cloudwatch_logs_integration
+
+import data.shisho
+import future.keywords
+
+now_ns := time.now_ns()
+
+today_string := date_string(now_ns)
+
+two_months_ago_string := date_string(time.add_date(now_ns, 0, -2, 0))
+
+date_string(date_ns) := date_as_string if {
+	date := time.date(date_ns)
+	date_as_string := sprintf("%d-%s-%sT00:00:00Z", [date[0], format_digit(date[1]), format_digit(date[2])])
+}
+
+format_digit(digit) = formatted_digit if {
+	digit < 10
+	formatted_digit := sprintf("0%d", [digit])
+} else = sprintf("%d", [digit])
+
+test_whether_cloudtrail_is_integrated_with_cloudwatch_logs if {
+	# check if the CloudTrail is integrated with CloudWatch logs
+	count([d |
+		decisions[d]
+		shisho.decision.is_allowed(d)
+	]) == 2 with input as {"aws": {"accounts": [{"cloudTrail": {"trails": [
+		{
+			"metadata": {
+				"id": "aws-cloudtrail-trail|ap-northeast-1|test-trail-1",
+				"displayName": "test-trail-1",
+			},
+			"cloudWatchLogGroup": {"arn": "arn:aws:logs:ap-northeast-1:779392177777:log-group:test-trail-1/CloudTrailLogs:*"},
+			"status": {"latestCloudWatchLogsDeliveredAt": null},
+		},
+		{
+			"metadata": {
+				"id": "aws-cloudtrail-trail|ap-northeast-1|test-trail-2",
+				"displayName": "test-trail-2",
+			},
+			"cloudWatchLogGroup": {"arn": "arn:aws:logs:ap-northeast-1:779392177777:log-group:test-trail-2/CloudTrailLogs:*"},
+			"status": {"latestCloudWatchLogsDeliveredAt": today_string},
+		},
+	]}}]}}
+
+	# check if the CloudTrail is not integrated with CloudWatch logs
+	count([d |
+		decisions[d]
+		not shisho.decision.is_allowed(d)
+	]) == 3 with input as {"aws": {"accounts": [{"cloudTrail": {"trails": [
+		{
+			"metadata": {
+				"id": "aws-cloudtrail-trail|ap-northeast-1|test-trail-1",
+				"displayName": "test-trail-1",
+			},
+			"cloudWatchLogGroup": {"arn": "arn:aws:logs:ap-northeast-1:779392177777:log-group:test-trail-1/CloudTrailLogs:*"},
+			"status": {"latestCloudWatchLogsDeliveredAt": ""},
+		},
+		{
+			"metadata": {
+				"id": "aws-cloudtrail-trail|ap-northeast-1|test-trail-2",
+				"displayName": "test-trail-2",
+			},
+			"cloudWatchLogGroup": {"arn": "arn:aws:logs:ap-northeast-1:779392177777:log-group:test-trail-2/CloudTrailLogs:*"},
+			"status": {"latestCloudWatchLogsDeliveredAt": two_months_ago_string},
+		},
+		{
+			"metadata": {
+				"id": "aws-cloudtrail-trail|ap-northeast-1|test-trail-3",
+				"displayName": "test-trail-3",
+			},
+			"cloudWatchLogGroup": {"arn": ""},
+			"status": {"latestCloudWatchLogsDeliveredAt": today_string},
+		},
+	]}}]}}
+}

workflows/cis-benchmark/aws-v1.5.0/cloudtrail/cmk-encryption/decide.graphql

@@ -0,0 +1,20 @@
+{
+  aws {
+    accounts {
+      cloudTrail {
+        trails {
+          metadata {
+            id
+            displayName
+          }
+          kmsKeyId
+
+          tags {
+            key
+            value
+          }
+        }
+      }
+    }
+  }
+}

workflows/cis-benchmark/aws-v1.5.0/cloudtrail/cmk-encryption/decide.rego

@@ -0,0 +1,28 @@
+package policy.aws.cloudtrail.cmk_encryption
+
+import data.shisho
+
+decisions[d] {
+	account := input.aws.accounts[_]
+	trail := account.cloudTrail.trails[_]
+
+	d := shisho.decision.aws.cloudtrail.cmk_encryption({
+		"allowed": allow_if_excluded(trail.kmsKeyId != "", trail),
+		"subject": trail.metadata.id,
+		"payload": shisho.decision.aws.cloudtrail.cmk_encryption_payload({"kms_key_id": trail.kmsKeyId}),
+	})
+}
+
+allow_if_excluded(allowed, r) {
+	data.params != null
+
+	tag := data.params.tag_exceptions[_]
+	elements := split(tag, "=")
+
+	tag_key := elements[0]
+	tag_value := concat("=", array.slice(elements, 1, count(elements)))
+
+	t := r.tags[_]
+	t.key == tag_key
+	t.value == tag_value
+} else := allowed

workflows/cis-benchmark/aws-v1.5.0/cloudtrail/cmk-encryption/decide_test.rego

@@ -0,0 +1,48 @@
+package policy.aws.cloudtrail.cmk_encryption
+
+import data.shisho
+import future.keywords
+
+test_whether_cloudtrail_is_encrypted_by_kms_cmk if {
+	# check if the CloudTrail is encrypted by KMS CMK
+	count([d |
+		decisions[d]
+		shisho.decision.is_allowed(d)
+	]) == 2 with input as {"aws": {"accounts": [{"cloudTrail": {"trails": [
+		{
+			"metadata": {
+				"id": "aws-cloudtrail-trail|ap-northeast-1|test-trail-1",
+				"displayName": "test-trail-1",
+			},
+			"kmsKeyId": "arn:aws:kms:ap-northeast-1:779392177777:key/6c7079dc-390c-4724-9e29-920317477777",
+		},
+		{
+			"metadata": {
+				"id": "aws-cloudtrail-trail|ap-northeast-1|test-trail-2",
+				"displayName": "test-trail-2",
+			},
+			"kmsKeyId": "arn:aws:kms:ap-northeast-1:779392177777:key/6c7079dc-390c-4724-9e29-920317488888",
+		},
+	]}}]}}
+
+	# check if the CloudTrail is not encrypted by KMS CMK
+	count([d |
+		decisions[d]
+		not shisho.decision.is_allowed(d)
+	]) == 2 with input as {"aws": {"accounts": [{"cloudTrail": {"trails": [
+		{
+			"metadata": {
+				"id": "aws-cloudtrail-trail|ap-northeast-1|test-trail-1",
+				"displayName": "test-trail-1",
+			},
+			"kmsKeyId": "",
+		},
+		{
+			"metadata": {
+				"id": "aws-cloudtrail-trail|ap-northeast-1|test-trail-2",
+				"displayName": "test-trail-2",
+			},
+			"kmsKeyId": "",
+		},
+	]}}]}}
+}

workflows/cis-benchmark/aws-v1.5.0/cloudtrail/log-bucket-accessibility/decide.graphql

@@ -0,0 +1,32 @@
+{
+  aws {
+    accounts {
+      cloudTrail {
+        trails {
+          metadata {
+            id
+            displayName
+          }
+          s3Bucket {
+            name
+            aclGrants {
+              grantee {
+                displayName
+                uri
+              }
+              permission
+            }
+            policy {
+              rawDocument
+            }
+          }
+
+          tags {
+            key
+            value
+          }
+        }
+      }
+    }
+  }
+}

workflows/cis-benchmark/aws-v1.5.0/cloudtrail/log-bucket-accessibility/decide.rego

@@ -0,0 +1,67 @@
+package policy.aws.cloudtrail.log_bucket_accessibility
+
+import data.shisho
+
+decisions[d] {
+	account := input.aws.accounts[_]
+	trail := account.cloudTrail.trails[_]
+
+	accessible := is_publicly_accessible(trail.s3Bucket)
+	d := shisho.decision.aws.cloudtrail.log_bucket_accessibility({
+		"allowed": allow_if_excluded(accessible == false, trail),
+		"subject": trail.metadata.id,
+		"payload": shisho.decision.aws.cloudtrail.log_bucket_accessibility_payload({
+			"bucket_name": trail.s3Bucket.name,
+			"acl_rules": [{
+				"grantee_url": grant.grantee.displayName,
+				"permission": grant.permission,
+			} |
+				grant := trail.s3Bucket.aclGrants[_]
+			],
+			"bucket_policy_document": trail.s3Bucket.policy.rawDocument,
+		}),
+	})
+}
+
+is_publicly_accessible(s3Bucket) {
+	has_insecure_acl_grants(s3Bucket.aclGrants)
+} else {
+	has_insecure_bucket_policy(s3Bucket.policy.rawDocument)
+} else = false
+
+has_insecure_acl_grants(grants) {
+	grant := grants[_]
+	denied_uris := [
+		"https://acs.amazonaws.com/groups/global/AllUsers",
+		"https://acs.amazonaws.com/groups/global/AuthenticatedUsers",
+	]
+	denied_uris[_] == grant.grantee.uri
+} else = false
+
+has_insecure_bucket_policy(raw_document) {
+	p := json.unmarshal(raw_document)
+
+	statement := p.Statement[_]
+	statement.Effect == "Allow"
+	is_public_principal(statement.Principal)
+} else = false
+
+is_public_principal(principal) {
+	principal == "*"
+} else {
+	principal.AWS == "*"
+} else = false
+
+allow_if_excluded(allowed, r) {
+	data.params != null
+
+	tag := data.params.tag_exceptions[_]
+	elements := split(tag, "=")
+
+	tag_key := elements[0]
+	tag_value := concat("=", array.slice(elements, 1, count(elements)))
+
+	t := r.tags[_]
+	t.key == tag_key
+	t.value == tag_value
+} else := allowed