Skip to content

Commit

Permalink
Adding Aws new policies cloudTrail (#810)
Browse files Browse the repository at this point in the history 
Co-authored-by: Avanti Vyas <avanti@accurics.com>
  • Loading branch information
@Avanti19
Avanti19 and Avanti Vyas committed Jun 1, 2021
1 parent 0ed8ef7 commit 3f02324
Show file tree
Hide file tree
Showing 13 changed files with 131 additions and 3 deletions.
12 changes: 12 additions & 0 deletions pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.Low.009.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
{
"name": "ecrmaketagsimmutable",
"file": "ecr_make_tags_immutable.rego",
"template_args": {
"prefix": ""
},
"severity": "LOW",
"description": "ECR should have an image tag be immutable",
"reference_id": "AWS.CloudTrail.Logging.Low.009",
"category": "Security Best Practices",
"version": 2
}
12 changes: 12 additions & 0 deletions pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.Medium.004.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
{
"name": "cloudTrailMultiRegionEnabled",
"file": "cloudTrailMultiRegion.rego",
"template_args": {
"prefix": ""
},
"severity": "MEDIUM",
"description": "Cloud Trail Multi Region not enabled",
"reference_id": "AWS.CloudTrail.Logging.Medium.004",
"category": "Logging and Monitoring",
"version": 2
}
12 changes: 12 additions & 0 deletions pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.Medium.007.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
{
"name": "dynamoderecovery_enabled",
"file": "dynamodb_without_recovery_enabled.rego",
"template_args": {
"prefix": ""
},
"severity": "MEDIUM",
"description": "Ensure Point In Time Recovery is enabled for DynamoDB Tables",
"reference_id": "AWS.CloudTrail.Logging.Medium.007",
"category": "Resilience",
"version": 2
}
12 changes: 12 additions & 0 deletions pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.Medium.008.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
{
"name": "ec2ebsnotoptimized",
"file": "ec2_ebs_not_optimized.rego",
"template_args": {
"prefix": ""
},
"severity": "MEDIUM",
"description": "Ensure that EC2 is EBS optimized",
"reference_id": "AWS.CloudTrail.Logging.Medium.008",
"category": "Security Best Practices",
"version": 1
}
4 changes: 1 addition & 3 deletions pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.Medium.0460.json
100755 → 100644
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,12 @@
{
"name": "cloudTrailMultiRegionNotCreated",
"file": "cloudTrailMultiRegionNotCreated.rego",
"policy_type": "aws",
"resource_type": "aws_cloudtrail",
"template_args": {
"prefix": ""
},
"severity": "MEDIUM",
"description": "Cloud Trail Multi Region not enabled",
"reference_id": "AWS.CloudTrail.Logging.Medium.0460",
"category": "Logging and Monitoring",
"category": "Logging",
"version": 2
}
12 changes: 12 additions & 0 deletions pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.Config.Logging.Medium.0590.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
{
"name": "configEnabledForAllRegions",
"file": "configEnabled.rego",
"template_args": {
"prefix": ""
},
"severity": "Medium",
"description": "Ensure AWS Config is enabled in all regions",
"reference_id": "AWS.Config.Logging.Medium.0590",
"category": "Logging and Monitoring",
"version": 2
}
6 changes: 6 additions & 0 deletions pkg/policies/opa/rego/aws/aws_cloudtrail/cloudTrailMultiRegion.rego
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
package accurics

{{.prefix}}cloudTrailMultiRegionEnabled[cloud_trail.id]{
cloud_trail = input.aws_cloudtrail[_]
object.get(cloud_trail, "is_multi_region_trail", "undefined") == "undefined"
}
Empty file modified pkg/policies/opa/rego/aws/aws_cloudtrail/cloudTrailMultiRegionNotCreated.rego
100755 → 100644
View file
Empty file.
14 changes: 14 additions & 0 deletions pkg/policies/opa/rego/aws/aws_cloudtrail/configEnabled.rego
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
package accurics

{{.prefix}}configEnabledForAllRegions[con.id]{
con = input.aws_config_configuration_aggregator[_]
ag_source = con.config.account_aggregation_source[_]
object.get(ag_source, "all_regions", "undefined") == ["undefined", false][_]
}


{{.prefix}}configEnabledForAllRegions[con.id]{
con = input.aws_config_configuration_aggregator[_]
ag_source = con.config.organization_aggregation_source[_]
object.get(ag_source, "all_regions", "undefined") == ["undefined", false][_]
}
21 changes: 21 additions & 0 deletions pkg/policies/opa/rego/aws/aws_cloudtrail/configEnabledForAllRegions.rego
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
package accurics

{{.prefix}}configEnabledForAllRegions[retVal]{
con = input.aws_config_configuration_aggregator[_]
some i
ag_source = con.config.account_aggregation_source[i]
# need some logic to guess ReplaceType as add / edit, we get this value in both cases
ag_source.all_regions == false
traverse = sprintf("account_aggregation_source[%d].all_regions", [i])
retVal := { "Id": con.id, "ReplaceType": "edit", "CodeType": "attribute", "Traverse": traverse, "Attribute": "account_aggregation_source.all_regions", "AttributeDataType": "boolean", "Expected": true, "Actual": ag_source.all_regions }
}

{{.prefix}}configEnabledForAllRegions[retVal]{
con = input.aws_config_configuration_aggregator[_]
some i
ag_source = con.config.organization_aggregation_source[i]
# need some logic to guess ReplaceType as add / edit, we get this value in both cases
ag_source.all_regions == false
traverse = sprintf("organization_aggregation_source[%d].all_regions", [i])
retVal := { "Id": con.id, "ReplaceType": "edit", "CodeType": "attribute", "Traverse": traverse, "Attribute": "organization_aggregation_source.all_regions", "AttributeDataType": "boolean", "Expected": true, "Actual": ag_source.all_regions }
}
12 changes: 12 additions & 0 deletions pkg/policies/opa/rego/aws/aws_cloudtrail/dynamodb_without_recovery_enabled.rego
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
package accurics

{{.prefix}}dynamoderecovery_enabled[policy.id] {
policy := input.aws_dynamodb_table[_]
object.get(policy, "point_in_time_recovery", "undefined") == "undefined"
}

{{.prefix}}dynamoderecovery_enabled[policy.id] {
policy := input.aws_dynamodb_table[_]
pitr := policy.config.point_in_time_recovery[i]
pitr.enabled == false
}
6 changes: 6 additions & 0 deletions pkg/policies/opa/rego/aws/aws_cloudtrail/ec2_ebs_not_optimized.rego
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
package accurics

ec2ebsnotoptimized[con.id] {
con = input.aws_instance[_]
object.get(con.config, "ebs_optimized", "undefined") == "undefined"
}
11 changes: 11 additions & 0 deletions pkg/policies/opa/rego/aws/aws_cloudtrail/ecr_make_tags_immutable.rego
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
package accurics

{{.prefix}}ecrmaketagsimmutable[con.id]{
con = input.aws_ecr_repository[_]
con.config.image_tag_mutability == "MUTABLE"
}

{{.prefix}}ecrmaketagsimmutable[con.id]{
con = input.aws_ecr_repository[_]
object.get(con.config, "image_tag_mutability", "undefined") == "undefined"
}

0 comments on commit 3f02324

Please sign in to comment.