diff --git a/resources/policies/aws-best-practices.yaml b/resources/policies/aws-best-practices.yaml index 11c653e1..7a807eeb 100644 --- a/resources/policies/aws-best-practices.yaml +++ b/resources/policies/aws-best-practices.yaml @@ -88,13 +88,11 @@ ruleIds: - aws-database-redshift-backup-enabled.yaml - aws-database-rds-instance-iam-authentication-enabled.yaml - aws-database-rds-cluster-iam-authentication-enabled.yaml - - aws-database-dynamodb-table-encrypted-kms.yaml - aws-database-dynamodb-pitr-enabled.yaml - aws-database-dynamodb-autoscaling-enabled.yaml - aws-database-dynamodb-resources-protected-by-backup-plan.yaml - aws-database-rds-enhanced-monitoring-enabled.yaml - aws-database-rds-cluster-deletion-protection-enabled.yaml - - aws-database-dynamodb-table-encryption-enabled.yaml - aws-database-rds-storage-encrypted.yaml - aws-database-rds-snapshot-encrypted.yaml - aws-database-rds-cluster-multi-az-enabled.yaml @@ -127,7 +125,6 @@ ruleIds: - aws-compute-lambda-inside-vpc.yaml - aws-compute-lambda-dlq-check.yaml - aws-compute-lambda-concurrency-check.yaml - - aws-compute-ec2-instances-in-vpc.yaml - aws-compute-ec2-instance-no-public-ip.yaml - aws-compute-ec2-managedinstance-platform-check.yaml - aws-compute-ec2-instance-profile-attached.yaml diff --git a/resources/policies/aws-dynamodb-best-practices.yaml b/resources/policies/aws-dynamodb-best-practices.yaml index b8b1cb2b..a9f8051d 100644 --- a/resources/policies/aws-dynamodb-best-practices.yaml +++ b/resources/policies/aws-dynamodb-best-practices.yaml @@ -13,7 +13,5 @@ ruleIds: # - aws-database-dynamodb-covered-by-backup-plan.yaml # Negative Rule - aws-database-dynamodb-pitr-enabled.yaml - aws-database-dynamodb-resources-protected-by-backup-plan.yaml - - aws-database-dynamodb-table-encrypted-kms.yaml - - aws-database-dynamodb-table-encryption-enabled.yaml # - dynamodb-throughput-limit-check - [to do] version: 0.2.6 diff --git a/resources/resources/tests/test-aws-compute-ec2-instances-in-vpc.yaml b/resources/resources/tests/test-aws-compute-ec2-instances-in-vpc.yaml deleted file mode 100644 index a8bda3ab..00000000 --- a/resources/resources/tests/test-aws-compute-ec2-instances-in-vpc.yaml +++ /dev/null @@ -1,361 +0,0 @@ -ruleId: aws-compute-ec2-instances-in-vpc -cloudProvider: aws -description: > - Insecure Assets: - - no VPC associated with the ec2 instance - Secure asset - - vpc attached to the ec2 instance -insecureAssets: - novpc: > - [ { - "documentId" : "lZsCY5uROaqw_kMesk6oaA", - "arn" : "novpc", - "resourceName" : "i-067731237bf0d69df", - "resourceId" : "i-067731237bf0d69df", - "resourceType" : "AWS::EC2::Instance", - "awsRegion" : "eu-west-2", - "awsAccountId" : "00000000000", - "createdIso" : "2022-05-17T12:27:30Z", - "updatedIso" : "2022-05-17T12:36:22.785095Z", - "discoverySessionId" : null, - "maxSizeInBytes" : null, - "sizeInBytes" : null, - "configuration" : { - "amiLaunchIndex" : 0, - "imageId" : "ami-0d729d2846a86a9e7", - "instanceId" : "i-067731237bf0d69df", - "instanceType" : "t2.micro", - "kernelId" : null, - "keyName" : "teat", - "launchTime" : "2022-05-17T12:27:30Z", - "monitoring" : { - "state" : "disabled" - }, - "placement" : { - "availabilityZone" : "eu-west-2b", - "affinity" : null, - "groupName" : "", - "partitionNumber" : null, - "hostId" : null, - "tenancy" : "default", - "spreadDomain" : null, - "hostResourceGroupArn" : null - }, - "platform" : null, - "privateDnsName" : "ip-172-31-43-41.eu-west-2.compute.internal", - "privateIpAddress" : "172.31.43.41", - "productCodes" : [ ], - "publicDnsName" : "ec2-13-40-189-153.eu-west-2.compute.amazonaws.com", - "publicIpAddress" : "13.40.189.153", - "ramdiskId" : null, - "state" : { - "code" : 16, - "name" : "running" - }, - "stateTransitionReason" : "", - "subnetId" : "subnet-a579dee9", - "vpcId" : null, - "architecture" : "x86_64", - "blockDeviceMappings" : [ { - "deviceName" : "/dev/xvda", - "ebs" : { - "attachTime" : "2022-05-17T12:27:31Z", - "deleteOnTermination" : true, - "status" : "attached", - "volumeId" : "vol-0a9ba2ad787dd7582" - } - } ], - "clientToken" : "", - "ebsOptimized" : false, - "enaSupport" : true, - "hypervisor" : "xen", - "iamInstanceProfile" : { - "arn" : "arn:aws:iam::00000000000:instance-profile/AmazonSSMRoleForInstancesQuickSetup", - "id" : "AIPAW52VVENLW43OMXCNO" - }, - "instanceLifecycle" : null, - "elasticGpuAssociations" : null, - "elasticInferenceAcceleratorAssociations" : null, - "networkInterfaces" : [ { - "association" : { - "carrierIp" : null, - "customerOwnedIp" : null, - "ipOwnerId" : "amazon", - "publicDnsName" : "ec2-13-40-189-153.eu-west-2.compute.amazonaws.com", - "publicIp" : "13.40.189.153" - }, - "attachment" : { - "attachTime" : "2022-05-17T12:27:30Z", - "attachmentId" : "eni-attach-0cb91dccb02eae364", - "deleteOnTermination" : true, - "deviceIndex" : 0, - "status" : "attached", - "networkCardIndex" : 0 - }, - "description" : "", - "groups" : [ { - "groupName" : "launch-wizard-1", - "groupId" : "sg-06df6b0fef5e46f6a" - } ], - "ipv6Addresses" : [ ], - "macAddress" : "0a:0e:d0:2c:cd:80", - "networkInterfaceId" : "eni-00b304cafeec8c5f3", - "ownerId" : "00000000000", - "privateDnsName" : "ip-172-31-43-41.eu-west-2.compute.internal", - "privateIpAddress" : "172.31.43.41", - "privateIpAddresses" : [ { - "association" : { - "carrierIp" : null, - "customerOwnedIp" : null, - "ipOwnerId" : "amazon", - "publicDnsName" : "ec2-13-40-189-153.eu-west-2.compute.amazonaws.com", - "publicIp" : "13.40.189.153" - }, - "primary" : true, - "privateDnsName" : "ip-172-31-43-41.eu-west-2.compute.internal", - "privateIpAddress" : "172.31.43.41" - } ], - "sourceDestCheck" : true, - "status" : "in-use", - "subnetId" : "subnet-a579dee9", - "vpcId" : "vpc-511f5d39", - "interfaceType" : "interface", - "ipv4Prefixes" : null, - "ipv6Prefixes" : null - } ], - "outpostArn" : null, - "rootDeviceName" : "/dev/xvda", - "rootDeviceType" : "ebs", - "securityGroups" : [ { - "groupName" : "launch-wizard-1", - "groupId" : "sg-06df6b0fef5e46f6a" - } ], - "sourceDestCheck" : true, - "spotInstanceRequestId" : null, - "sriovNetSupport" : null, - "stateReason" : null, - "tags" : [ { - "key" : "Name", - "value" : "test" - } ], - "virtualizationType" : "hvm", - "cpuOptions" : { - "coreCount" : 1, - "threadsPerCore" : 1 - }, - "capacityReservationId" : null, - "capacityReservationSpecification" : { - "capacityReservationPreference" : "open", - "capacityReservationTarget" : null - }, - "hibernationOptions" : { - "configured" : false - }, - "licenses" : null, - "metadataOptions" : { - "state" : "applied", - "httpTokens" : "optional", - "httpPutResponseHopLimit" : 1, - "httpEndpoint" : "enabled", - "httpProtocolIpv6" : "disabled" - }, - "enclaveOptions" : { - "enabled" : false - }, - "bootMode" : null, - "platformDetails" : "Linux/UNIX", - "usageOperation" : "RunInstances", - "usageOperationUpdateTime" : "2022-05-17T12:27:30Z", - "privateDnsNameOptions" : { - "hostnameType" : "ip-name", - "enableResourceNameDnsARecord" : true, - "enableResourceNameDnsAAAARecord" : false - }, - "ipv6Address" : null, - "publicIp" : "13.40.189.153" - }, - "supplementaryConfiguration" : { - "awsBackupJobs" : [ ] - }, - "tags" : { - "Name" : "test" - }, - "discoveryMeta" : { } - }] -secureAssets: - vpc: > - [ { - "documentId" : "lZsCY5uROaqw_kMesk6oaA", - "arn" : "vpc", - "resourceName" : "i-067731237bf0d69df", - "resourceId" : "i-067731237bf0d69df", - "resourceType" : "AWS::EC2::Instance", - "awsRegion" : "eu-west-2", - "awsAccountId" : "00000000000", - "createdIso" : "2022-05-17T12:27:30Z", - "updatedIso" : "2022-05-17T12:36:22.785095Z", - "discoverySessionId" : null, - "maxSizeInBytes" : null, - "sizeInBytes" : null, - "configuration" : { - "amiLaunchIndex" : 0, - "imageId" : "ami-0d729d2846a86a9e7", - "instanceId" : "i-067731237bf0d69df", - "instanceType" : "t2.micro", - "kernelId" : null, - "keyName" : "teat", - "launchTime" : "2022-05-17T12:27:30Z", - "monitoring" : { - "state" : "disabled" - }, - "placement" : { - "availabilityZone" : "eu-west-2b", - "affinity" : null, - "groupName" : "", - "partitionNumber" : null, - "hostId" : null, - "tenancy" : "default", - "spreadDomain" : null, - "hostResourceGroupArn" : null - }, - "platform" : null, - "privateDnsName" : "ip-172-31-43-41.eu-west-2.compute.internal", - "privateIpAddress" : "172.31.43.41", - "productCodes" : [ ], - "publicDnsName" : "ec2-13-40-189-153.eu-west-2.compute.amazonaws.com", - "publicIpAddress" : "13.40.189.153", - "ramdiskId" : null, - "state" : { - "code" : 16, - "name" : "running" - }, - "stateTransitionReason" : "", - "subnetId" : "subnet-a579dee9", - "vpcId" : "vpc-511f5d39", - "architecture" : "x86_64", - "blockDeviceMappings" : [ { - "deviceName" : "/dev/xvda", - "ebs" : { - "attachTime" : "2022-05-17T12:27:31Z", - "deleteOnTermination" : true, - "status" : "attached", - "volumeId" : "vol-0a9ba2ad787dd7582" - } - } ], - "clientToken" : "", - "ebsOptimized" : false, - "enaSupport" : true, - "hypervisor" : "xen", - "iamInstanceProfile" : { - "arn" : "arn:aws:iam::00000000000:instance-profile/AmazonSSMRoleForInstancesQuickSetup", - "id" : "AIPAW52VVENLW43OMXCNO" - }, - "instanceLifecycle" : null, - "elasticGpuAssociations" : null, - "elasticInferenceAcceleratorAssociations" : null, - "networkInterfaces" : [ { - "association" : { - "carrierIp" : null, - "customerOwnedIp" : null, - "ipOwnerId" : "amazon", - "publicDnsName" : "ec2-13-40-189-153.eu-west-2.compute.amazonaws.com", - "publicIp" : "13.40.189.153" - }, - "attachment" : { - "attachTime" : "2022-05-17T12:27:30Z", - "attachmentId" : "eni-attach-0cb91dccb02eae364", - "deleteOnTermination" : true, - "deviceIndex" : 0, - "status" : "attached", - "networkCardIndex" : 0 - }, - "description" : "", - "groups" : [ { - "groupName" : "launch-wizard-1", - "groupId" : "sg-06df6b0fef5e46f6a" - } ], - "ipv6Addresses" : [ ], - "macAddress" : "0a:0e:d0:2c:cd:80", - "networkInterfaceId" : "eni-00b304cafeec8c5f3", - "ownerId" : "00000000000", - "privateDnsName" : "ip-172-31-43-41.eu-west-2.compute.internal", - "privateIpAddress" : "172.31.43.41", - "privateIpAddresses" : [ { - "association" : { - "carrierIp" : null, - "customerOwnedIp" : null, - "ipOwnerId" : "amazon", - "publicDnsName" : "ec2-13-40-189-153.eu-west-2.compute.amazonaws.com", - "publicIp" : "13.40.189.153" - }, - "primary" : true, - "privateDnsName" : "ip-172-31-43-41.eu-west-2.compute.internal", - "privateIpAddress" : "172.31.43.41" - } ], - "sourceDestCheck" : true, - "status" : "in-use", - "subnetId" : "subnet-a579dee9", - "vpcId" : "vpc-511f5d39", - "interfaceType" : "interface", - "ipv4Prefixes" : null, - "ipv6Prefixes" : null - } ], - "outpostArn" : null, - "rootDeviceName" : "/dev/xvda", - "rootDeviceType" : "ebs", - "securityGroups" : [ { - "groupName" : "launch-wizard-1", - "groupId" : "sg-06df6b0fef5e46f6a" - } ], - "sourceDestCheck" : true, - "spotInstanceRequestId" : null, - "sriovNetSupport" : null, - "stateReason" : null, - "tags" : [ { - "key" : "Name", - "value" : "test" - } ], - "virtualizationType" : "hvm", - "cpuOptions" : { - "coreCount" : 1, - "threadsPerCore" : 1 - }, - "capacityReservationId" : null, - "capacityReservationSpecification" : { - "capacityReservationPreference" : "open", - "capacityReservationTarget" : null - }, - "hibernationOptions" : { - "configured" : false - }, - "licenses" : null, - "metadataOptions" : { - "state" : "applied", - "httpTokens" : "optional", - "httpPutResponseHopLimit" : 1, - "httpEndpoint" : "enabled", - "httpProtocolIpv6" : "disabled" - }, - "enclaveOptions" : { - "enabled" : false - }, - "bootMode" : null, - "platformDetails" : "Linux/UNIX", - "usageOperation" : "RunInstances", - "usageOperationUpdateTime" : "2022-05-17T12:27:30Z", - "privateDnsNameOptions" : { - "hostnameType" : "ip-name", - "enableResourceNameDnsARecord" : true, - "enableResourceNameDnsAAAARecord" : false - }, - "ipv6Address" : null, - "publicIp" : "13.40.189.153" - }, - "supplementaryConfiguration" : { - "awsBackupJobs" : [ ] - }, - "tags" : { - "Name" : "test" - }, - "discoveryMeta" : { } - }] \ No newline at end of file diff --git a/resources/resources/tests/test-aws-database-dynamodb-table-encrypted-kms.yaml b/resources/resources/tests/test-aws-database-dynamodb-table-encrypted-kms.yaml deleted file mode 100644 index a0e2ba7d..00000000 --- a/resources/resources/tests/test-aws-database-dynamodb-table-encrypted-kms.yaml +++ /dev/null @@ -1,164 +0,0 @@ -# opnrvn-r-161 -ruleId: aws-database-dynamodb-table-encrypted-kms -cloudProvider: aws -description: > - - Checks if Amazon DynamoDB table is encrypted with AWS Key Management Service (KMS). - - `no-kms` Insecure Assets have no KMS - - `kms` Secure Assets have KMS -insecureAssets: - no-kms: > - [ { - "documentId" : "ay6C53_LP4au4s6aXXZeIg", - "arn" : "no-kms", - "resourceName" : "no-kms", - "resourceId" : "no-kms", - "resourceType" : "AWS::DynamoDB::Table", - "awsRegion" : "us-east-1", - "awsAccountId" : "000000000000", - "createdIso" : "2021-12-14T12:17:50.065Z", - "updatedIso" : "2021-12-14T14:49:18.992172Z", - "discoverySessionId" : null, - "maxSizeInBytes" : null, - "sizeInBytes" : null, - "configuration" : { - "attributeDefinitions" : [ { - "attributeName" : "sdfg", - "attributeType" : "S" - }, { - "attributeName" : "sdfgx", - "attributeType" : "S" - } ], - "tableName" : "no-kms", - "keySchema" : [ { - "attributeName" : "sdfg", - "keyType" : "HASH" - }, { - "attributeName" : "sdfgx", - "keyType" : "RANGE" - } ], - "tableStatus" : "ACTIVE", - "creationDateTime" : "2021-12-14T12:17:50.065Z", - "provisionedThroughput" : { - "lastIncreaseDateTime" : null, - "lastDecreaseDateTime" : null, - "numberOfDecreasesToday" : 0, - "readCapacityUnits" : 0, - "writeCapacityUnits" : 0 - }, - "tableSizeBytes" : 0, - "itemCount" : 0, - "tableArn" : "no-kms", - "tableId" : "no-kms", - "billingModeSummary" : { - "billingMode" : "PAY_PER_REQUEST", - "lastUpdateToPayPerRequestDateTime" : "2021-12-14T12:17:50.065Z" - }, - "sseDescription" : null, - "localSecondaryIndexes" : null, - "globalSecondaryIndexes" : null, - "streamSpecification" : null, - "latestStreamLabel" : null, - "latestStreamArn" : null, - "globalTableVersion" : null, - "replicas" : null, - "restoreSummary" : null, - "archivalSummary" : null - }, - "supplementaryConfiguration" : { - "continuousBackups" : { - "continuousBackupsDescription" : { - "continuousBackupsStatus" : "ENABLED", - "pointInTimeRecoveryDescription" : { - "pointInTimeRecoveryStatus" : "ENABLED", - "earliestRestorableDateTime" : "2021-12-14T14:24:46Z", - "latestRestorableDateTime" : "2021-12-14T14:44:21.219Z" - } - } - }, - "tags" : { }, - "awsBackupJobs" : [ ] - }, - "tags" : { }, - "discoveryMeta" : { } - }] -secureAssets: - kms: > - [ { - "documentId" : "ay6C53_LP4au4s6aXXZeIg", - "arn" : "kms", - "resourceName" : "kms", - "resourceId" : "kms", - "resourceType" : "AWS::DynamoDB::Table", - "awsRegion" : "us-east-1", - "awsAccountId" : "000000000000", - "createdIso" : "2021-12-14T12:17:50.065Z", - "updatedIso" : "2021-12-14T14:49:18.992172Z", - "discoverySessionId" : null, - "maxSizeInBytes" : null, - "sizeInBytes" : null, - "configuration" : { - "attributeDefinitions" : [ { - "attributeName" : "sdfg", - "attributeType" : "S" - }, { - "attributeName" : "sdfgx", - "attributeType" : "S" - } ], - "tableName" : "testing123", - "keySchema" : [ { - "attributeName" : "sdfg", - "keyType" : "HASH" - }, { - "attributeName" : "sdfgx", - "keyType" : "RANGE" - } ], - "tableStatus" : "ACTIVE", - "creationDateTime" : "2021-12-14T12:17:50.065Z", - "provisionedThroughput" : { - "lastIncreaseDateTime" : null, - "lastDecreaseDateTime" : null, - "numberOfDecreasesToday" : 0, - "readCapacityUnits" : 0, - "writeCapacityUnits" : 0 - }, - "tableSizeBytes" : 0, - "itemCount" : 0, - "tableArn" : "arn:aws:dynamodb:us-east-1:000000000000:table/testing123", - "tableId" : "0ef1391d-d2a7-4b7a-80c0-f3509534ddf0", - "billingModeSummary" : { - "billingMode" : "PAY_PER_REQUEST", - "lastUpdateToPayPerRequestDateTime" : "2021-12-14T12:17:50.065Z" - }, - "localSecondaryIndexes" : null, - "globalSecondaryIndexes" : null, - "streamSpecification" : null, - "latestStreamLabel" : null, - "latestStreamArn" : null, - "globalTableVersion" : null, - "replicas" : null, - "restoreSummary" : null, - "sseDescription" : { - "status" : "ENABLED", - "sseType" : "KMS", - "kmsMasterKeyArn" : "arn:aws:kms:us-east-1:000000000000:key/0dd09529-bacc-42a4-b579-e91d96ce21f2", - "inaccessibleEncryptionDateTime" : null - }, - "archivalSummary" : null - }, - "supplementaryConfiguration" : { - "continuousBackups" : { - "continuousBackupsDescription" : { - "continuousBackupsStatus" : "ENABLED", - "pointInTimeRecoveryDescription" : { - "pointInTimeRecoveryStatus" : "ENABLED", - "earliestRestorableDateTime" : "2021-12-14T14:24:46Z", - "latestRestorableDateTime" : "2021-12-14T14:44:21.219Z" - } - } - }, - "tags" : { }, - "awsBackupJobs" : [ ] - }, - "tags" : { }, - "discoveryMeta" : { } - }] diff --git a/resources/resources/tests/test-aws-database-dynamodb-table-encryption-enabled.yaml b/resources/resources/tests/test-aws-database-dynamodb-table-encryption-enabled.yaml deleted file mode 100644 index 7754845a..00000000 --- a/resources/resources/tests/test-aws-database-dynamodb-table-encryption-enabled.yaml +++ /dev/null @@ -1,206 +0,0 @@ -# opnrvn-r-167 -ruleId: aws-database-dynamodb-table-encryption-enabled -cloudProvider: aws -description: > - - Checks if Amazon DynamoDB tables have encryption enabled. - - `encryption-disabled` Insecure Assets have encryption-disabled - - `encryption-enabled` Secure Assets have encryption-enabled -insecureAssets: - encryption-disabled: > - [ { - "documentId" : "null", - "arn" : "encryption-disabled", - "resourceName" : "encryption-disabled", - "resourceId" : "encryption-disabled", - "resourceType" : "AWS::DynamoDB::Table", - "awsRegion" : "us-east-1", - "awsAccountId" : "000000000000", - "createdIso" : "2021-12-14T12:17:50.065Z", - "updatedIso" : "2021-12-14T14:49:18.992172Z", - "discoverySessionId" : null, - "maxSizeInBytes" : null, - "sizeInBytes" : null, - "configuration" : { - "attributeDefinitions" : [ { - "attributeName" : "sdfg", - "attributeType" : "S" - }, { - "attributeName" : "sdfgx", - "attributeType" : "S" - } ], - "tableName" : "testing123", - "keySchema" : [ { - "attributeName" : "sdfg", - "keyType" : "HASH" - }, { - "attributeName" : "sdfgx", - "keyType" : "RANGE" - } ], - "tableStatus" : "ACTIVE", - "creationDateTime" : "2021-12-14T12:17:50.065Z", - "provisionedThroughput" : { - "lastIncreaseDateTime" : null, - "lastDecreaseDateTime" : null, - "numberOfDecreasesToday" : 0, - "readCapacityUnits" : 0, - "writeCapacityUnits" : 0 - }, - "tableSizeBytes" : 0, - "itemCount" : 0, - "tableArn" : "arn:aws:dynamodb:us-east-1:000000000000:table/testing123", - "tableId" : "0ef1391d-d2a7-4b7a-80c0-f3509534ddf0", - "billingModeSummary" : { - "billingMode" : "PAY_PER_REQUEST", - "lastUpdateToPayPerRequestDateTime" : "2021-12-14T12:17:50.065Z" - }, - "localSecondaryIndexes" : null, - "globalSecondaryIndexes" : null, - "streamSpecification" : null, - "latestStreamLabel" : null, - "latestStreamArn" : null, - "globalTableVersion" : null, - "replicas" : null, - "restoreSummary" : null, - "sseDescription" : null, - "archivalSummary" : null - }, - "supplementaryConfiguration" : { - "continuousBackups" : { - "continuousBackupsDescription" : { - "continuousBackupsStatus" : "ENABLED", - "pointInTimeRecoveryDescription" : { - "pointInTimeRecoveryStatus" : "ENABLED", - "earliestRestorableDateTime" : "2021-12-14T14:24:46Z", - "latestRestorableDateTime" : "2021-12-14T14:44:21.219Z" - } - } - }, - "tags" : { }, - "awsBackupJobs" : [ { - "accountId" : "000000000000", - "backupJobId" : "5364B1D4-36AD-33AF-CF2F-7359AAA326E7", - "backupVaultName" : "Default", - "backupVaultArn" : "arn:aws:backup:us-east-1:000000000000:backup-vault:Default", - "recoveryPointArn" : "arn:aws:backup:us-east-1:000000000000:recovery-point:69203525-0b5e-4dbd-b2a2-be5ddadcd77e", - "resourceArn" : "arn:aws:dynamodb:us-east-1:000000000000:table/sdfvbg", - "creationDate" : "2021-12-14T14:43:54.710Z", - "completionDate" : "2021-12-14T14:47:12.069Z", - "state" : "COMPLETED", - "statusMessage" : null, - "percentDone" : "100.0", - "backupSizeInBytes" : 0, - "iamRoleArn" : "arn:aws:iam::000000000000:role/service-role/AWSBackupDefaultServiceRole", - "createdBy" : null, - "expectedCompletionDate" : null, - "startBy" : "2021-12-14T15:43:54.710Z", - "resourceType" : "DynamoDB", - "bytesTransferred" : null, - "backupOptions" : null, - "backupType" : null - } ] - }, - "tags" : { }, - "discoveryMeta" : { } - }] -secureAssets: - encryption-enabled: > - [ { - "documentId" : "ay6C53_LP4au4s6aXXZeIg", - "arn" : "encryption-enabled", - "resourceName" : "encryption-enabled", - "resourceId" : "encryption-enabled", - "resourceType" : "AWS::DynamoDB::Table", - "awsRegion" : "us-east-1", - "awsAccountId" : "000000000000", - "createdIso" : "2021-12-14T12:17:50.065Z", - "updatedIso" : "2021-12-14T14:49:18.992172Z", - "discoverySessionId" : null, - "maxSizeInBytes" : null, - "sizeInBytes" : null, - "configuration" : { - "attributeDefinitions" : [ { - "attributeName" : "sdfg", - "attributeType" : "S" - }, { - "attributeName" : "sdfgx", - "attributeType" : "S" - } ], - "tableName" : "testing123", - "keySchema" : [ { - "attributeName" : "sdfg", - "keyType" : "HASH" - }, { - "attributeName" : "sdfgx", - "keyType" : "RANGE" - } ], - "tableStatus" : "ACTIVE", - "creationDateTime" : "2021-12-14T12:17:50.065Z", - "provisionedThroughput" : { - "lastIncreaseDateTime" : null, - "lastDecreaseDateTime" : null, - "numberOfDecreasesToday" : 0, - "readCapacityUnits" : 0, - "writeCapacityUnits" : 0 - }, - "tableSizeBytes" : 0, - "itemCount" : 0, - "tableArn" : "arn:aws:dynamodb:us-east-1:000000000000:table/testing123", - "tableId" : "0ef1391d-d2a7-4b7a-80c0-f3509534ddf0", - "billingModeSummary" : { - "billingMode" : "PAY_PER_REQUEST", - "lastUpdateToPayPerRequestDateTime" : "2021-12-14T12:17:50.065Z" - }, - "localSecondaryIndexes" : null, - "globalSecondaryIndexes" : null, - "streamSpecification" : null, - "latestStreamLabel" : null, - "latestStreamArn" : null, - "globalTableVersion" : null, - "replicas" : null, - "restoreSummary" : null, - "sseDescription" : { - "status" : "ENABLED", - "sseType" : "KMS", - "kmsMasterKeyArn" : "arn:aws:kms:us-east-1:000000000000:key/0dd09529-bacc-42a4-b579-e91d96ce21f2", - "inaccessibleEncryptionDateTime" : null - }, - "archivalSummary" : null - }, - "supplementaryConfiguration" : { - "continuousBackups" : { - "continuousBackupsDescription" : { - "continuousBackupsStatus" : "ENABLED", - "pointInTimeRecoveryDescription" : { - "pointInTimeRecoveryStatus" : "ENABLED", - "earliestRestorableDateTime" : "2021-12-14T14:24:46Z", - "latestRestorableDateTime" : "2021-12-14T14:44:21.219Z" - } - } - }, - "tags" : { }, - "awsBackupJobs" : [ { - "accountId" : "000000000000", - "backupJobId" : "5364B1D4-36AD-33AF-CF2F-7359AAA326E7", - "backupVaultName" : "Default", - "backupVaultArn" : "arn:aws:backup:us-east-1:000000000000:backup-vault:Default", - "recoveryPointArn" : "arn:aws:backup:us-east-1:000000000000:recovery-point:69203525-0b5e-4dbd-b2a2-be5ddadcd77e", - "resourceArn" : "arn:aws:dynamodb:us-east-1:000000000000:table/sdfvbg", - "creationDate" : "2021-12-14T14:43:54.710Z", - "completionDate" : "2021-12-14T14:47:12.069Z", - "state" : "COMPLETED", - "statusMessage" : null, - "percentDone" : "100.0", - "backupSizeInBytes" : 0, - "iamRoleArn" : "arn:aws:iam::000000000000:role/service-role/AWSBackupDefaultServiceRole", - "createdBy" : null, - "expectedCompletionDate" : null, - "startBy" : "2021-12-14T15:43:54.710Z", - "resourceType" : "DynamoDB", - "bytesTransferred" : null, - "backupOptions" : null, - "backupType" : null - } ] - }, - "tags" : { }, - "discoveryMeta" : { } - }] diff --git a/resources/rules/aws-compute-ec2-instances-in-vpc.yaml b/resources/rules/aws-compute-ec2-instances-in-vpc.yaml deleted file mode 100644 index 7225295d..00000000 --- a/resources/rules/aws-compute-ec2-instances-in-vpc.yaml +++ /dev/null @@ -1,17 +0,0 @@ -id: 66d58541-3a0d-44f2-9d06-01a5bd6a67b6 -refId: aws-compute-ec2-instances-in-vpc -type: asset -name: > - EC2 instance does not belong to a VPC -description: > - This rule identifies EC2 instances which do not belong to a VPC. If the VPC ID parameter has no value assigned, the selected EC2 instance was launched within the EC2-Classic platform and should be moved to the EC2-VPC platform. -severity: low -enabled: true -sql: > - SELECT arn as assetid - FROM ${magpie_schema}.awsec2instance - WHERE configuration->>'vpcId' IS NULL; -remediation: > - Ensure that EC2 instances belong to the appropriate VPC. -remediationDocURLs: https://github.com/openraven/security-rules/wiki -version: 1.0.7 diff --git a/resources/rules/aws-database-dynamodb-table-encrypted-kms.yaml b/resources/rules/aws-database-dynamodb-table-encrypted-kms.yaml deleted file mode 100644 index 19ce9740..00000000 --- a/resources/rules/aws-database-dynamodb-table-encrypted-kms.yaml +++ /dev/null @@ -1,19 +0,0 @@ -id: bb941fe0-197f-4937-ad1c-c03ed8bd74a4 -# opnrvn-r-161 -refId: aws-database-dynamodb-table-encrypted-kms -type: asset -name: > - DynamoDB table is not encrypted by AWS KMS -description: > - This rule identifies DynamoDB tables which are not encrypted by AWS Key Management Service (AWS KMS). Enabling KMS encryption provides enhanced security for data at rest by encrypting data using keys stored within AWS KMS. -severity: high -enabled: true -sql: > - SELECT arn as assetid - FROM ${magpie_schema}.awsdynamodbtable - WHERE (configuration->>'sseDescription' IS NULL) - OR (configuration->'sseDescription'->>'sseType' != 'KMS'); -remediation: > - Enable AWS KMS encryption for DynamoDB tables. -remediationDocURLs: https://github.com/openraven/security-rules/wiki -version: 1.0.7 diff --git a/resources/rules/aws-database-dynamodb-table-encryption-enabled.yaml b/resources/rules/aws-database-dynamodb-table-encryption-enabled.yaml deleted file mode 100644 index 920a3d0d..00000000 --- a/resources/rules/aws-database-dynamodb-table-encryption-enabled.yaml +++ /dev/null @@ -1,18 +0,0 @@ -id: 1465c6dd-47c1-4261-90ad-4d7b01e94c8a -# opnrvn-r-167 -refId: aws-database-dynamodb-table-encryption-enabled -type: asset -name: > - DynamoDB table is not encrypted -description: > - This rule identifies DynamoDB tables which are not encrypted. Encrypting your Amazon DynamoDB tables helps protect your data from unauthorized access or tampering. -severity: high -enabled: true -sql: > - SELECT arn as assetid - FROM ${magpie_schema}.awsdynamodbtable - where (configuration ->> 'sseDescription' IS NULL) -remediation: > - Enable encryption for DynamoDB tables. -remediationDocURLs: https://github.com/openraven/security-rules/wiki -version: 1.0.8