-
Notifications
You must be signed in to change notification settings - Fork 496
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adding Aws new policies cloudTrail (#810)
Co-authored-by: Avanti Vyas <avanti@accurics.com>
- Loading branch information
Showing
13 changed files
with
131 additions
and
3 deletions.
There are no files selected for viewing
12 changes: 12 additions & 0 deletions
12
pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.Low.009.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
{ | ||
"name": "ecrmaketagsimmutable", | ||
"file": "ecr_make_tags_immutable.rego", | ||
"template_args": { | ||
"prefix": "" | ||
}, | ||
"severity": "LOW", | ||
"description": "ECR should have an image tag be immutable", | ||
"reference_id": "AWS.CloudTrail.Logging.Low.009", | ||
"category": "Security Best Practices", | ||
"version": 2 | ||
} |
12 changes: 12 additions & 0 deletions
12
pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.Medium.004.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
{ | ||
"name": "cloudTrailMultiRegionEnabled", | ||
"file": "cloudTrailMultiRegion.rego", | ||
"template_args": { | ||
"prefix": "" | ||
}, | ||
"severity": "MEDIUM", | ||
"description": "Cloud Trail Multi Region not enabled", | ||
"reference_id": "AWS.CloudTrail.Logging.Medium.004", | ||
"category": "Logging and Monitoring", | ||
"version": 2 | ||
} |
12 changes: 12 additions & 0 deletions
12
pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.Medium.007.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
{ | ||
"name": "dynamoderecovery_enabled", | ||
"file": "dynamodb_without_recovery_enabled.rego", | ||
"template_args": { | ||
"prefix": "" | ||
}, | ||
"severity": "MEDIUM", | ||
"description": "Ensure Point In Time Recovery is enabled for DynamoDB Tables", | ||
"reference_id": "AWS.CloudTrail.Logging.Medium.007", | ||
"category": "Resilience", | ||
"version": 2 | ||
} |
12 changes: 12 additions & 0 deletions
12
pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.Medium.008.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
{ | ||
"name": "ec2ebsnotoptimized", | ||
"file": "ec2_ebs_not_optimized.rego", | ||
"template_args": { | ||
"prefix": "" | ||
}, | ||
"severity": "MEDIUM", | ||
"description": "Ensure that EC2 is EBS optimized", | ||
"reference_id": "AWS.CloudTrail.Logging.Medium.008", | ||
"category": "Security Best Practices", | ||
"version": 1 | ||
} |
4 changes: 1 addition & 3 deletions
4
pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.Medium.0460.json
100755 → 100644
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,14 +1,12 @@ | ||
{ | ||
"name": "cloudTrailMultiRegionNotCreated", | ||
"file": "cloudTrailMultiRegionNotCreated.rego", | ||
"policy_type": "aws", | ||
"resource_type": "aws_cloudtrail", | ||
"template_args": { | ||
"prefix": "" | ||
}, | ||
"severity": "MEDIUM", | ||
"description": "Cloud Trail Multi Region not enabled", | ||
"reference_id": "AWS.CloudTrail.Logging.Medium.0460", | ||
"category": "Logging and Monitoring", | ||
"category": "Logging", | ||
"version": 2 | ||
} |
12 changes: 12 additions & 0 deletions
12
pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.Config.Logging.Medium.0590.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
{ | ||
"name": "configEnabledForAllRegions", | ||
"file": "configEnabled.rego", | ||
"template_args": { | ||
"prefix": "" | ||
}, | ||
"severity": "Medium", | ||
"description": "Ensure AWS Config is enabled in all regions", | ||
"reference_id": "AWS.Config.Logging.Medium.0590", | ||
"category": "Logging and Monitoring", | ||
"version": 2 | ||
} |
6 changes: 6 additions & 0 deletions
6
pkg/policies/opa/rego/aws/aws_cloudtrail/cloudTrailMultiRegion.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
package accurics | ||
|
||
{{.prefix}}cloudTrailMultiRegionEnabled[cloud_trail.id]{ | ||
cloud_trail = input.aws_cloudtrail[_] | ||
object.get(cloud_trail, "is_multi_region_trail", "undefined") == "undefined" | ||
} |
Empty file modified
0
pkg/policies/opa/rego/aws/aws_cloudtrail/cloudTrailMultiRegionNotCreated.rego
100755 → 100644
Empty file.
14 changes: 14 additions & 0 deletions
14
pkg/policies/opa/rego/aws/aws_cloudtrail/configEnabled.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
package accurics | ||
|
||
{{.prefix}}configEnabledForAllRegions[con.id]{ | ||
con = input.aws_config_configuration_aggregator[_] | ||
ag_source = con.config.account_aggregation_source[_] | ||
object.get(ag_source, "all_regions", "undefined") == ["undefined", false][_] | ||
} | ||
|
||
|
||
{{.prefix}}configEnabledForAllRegions[con.id]{ | ||
con = input.aws_config_configuration_aggregator[_] | ||
ag_source = con.config.organization_aggregation_source[_] | ||
object.get(ag_source, "all_regions", "undefined") == ["undefined", false][_] | ||
} |
21 changes: 21 additions & 0 deletions
21
pkg/policies/opa/rego/aws/aws_cloudtrail/configEnabledForAllRegions.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
package accurics | ||
|
||
{{.prefix}}configEnabledForAllRegions[retVal]{ | ||
con = input.aws_config_configuration_aggregator[_] | ||
some i | ||
ag_source = con.config.account_aggregation_source[i] | ||
# need some logic to guess ReplaceType as add / edit, we get this value in both cases | ||
ag_source.all_regions == false | ||
traverse = sprintf("account_aggregation_source[%d].all_regions", [i]) | ||
retVal := { "Id": con.id, "ReplaceType": "edit", "CodeType": "attribute", "Traverse": traverse, "Attribute": "account_aggregation_source.all_regions", "AttributeDataType": "boolean", "Expected": true, "Actual": ag_source.all_regions } | ||
} | ||
|
||
{{.prefix}}configEnabledForAllRegions[retVal]{ | ||
con = input.aws_config_configuration_aggregator[_] | ||
some i | ||
ag_source = con.config.organization_aggregation_source[i] | ||
# need some logic to guess ReplaceType as add / edit, we get this value in both cases | ||
ag_source.all_regions == false | ||
traverse = sprintf("organization_aggregation_source[%d].all_regions", [i]) | ||
retVal := { "Id": con.id, "ReplaceType": "edit", "CodeType": "attribute", "Traverse": traverse, "Attribute": "organization_aggregation_source.all_regions", "AttributeDataType": "boolean", "Expected": true, "Actual": ag_source.all_regions } | ||
} |
12 changes: 12 additions & 0 deletions
12
pkg/policies/opa/rego/aws/aws_cloudtrail/dynamodb_without_recovery_enabled.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
package accurics | ||
|
||
{{.prefix}}dynamoderecovery_enabled[policy.id] { | ||
policy := input.aws_dynamodb_table[_] | ||
object.get(policy, "point_in_time_recovery", "undefined") == "undefined" | ||
} | ||
|
||
{{.prefix}}dynamoderecovery_enabled[policy.id] { | ||
policy := input.aws_dynamodb_table[_] | ||
pitr := policy.config.point_in_time_recovery[i] | ||
pitr.enabled == false | ||
} |
6 changes: 6 additions & 0 deletions
6
pkg/policies/opa/rego/aws/aws_cloudtrail/ec2_ebs_not_optimized.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
package accurics | ||
|
||
ec2ebsnotoptimized[con.id] { | ||
con = input.aws_instance[_] | ||
object.get(con.config, "ebs_optimized", "undefined") == "undefined" | ||
} |
11 changes: 11 additions & 0 deletions
11
pkg/policies/opa/rego/aws/aws_cloudtrail/ecr_make_tags_immutable.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
package accurics | ||
|
||
{{.prefix}}ecrmaketagsimmutable[con.id]{ | ||
con = input.aws_ecr_repository[_] | ||
con.config.image_tag_mutability == "MUTABLE" | ||
} | ||
|
||
{{.prefix}}ecrmaketagsimmutable[con.id]{ | ||
con = input.aws_ecr_repository[_] | ||
object.get(con.config, "image_tag_mutability", "undefined") == "undefined" | ||
} |