From a96ce66466f7d55d2adb6530aeab304456111931 Mon Sep 17 00:00:00 2001 From: Logan Culotta Date: Mon, 23 May 2022 14:11:31 -0500 Subject: [PATCH] 6 new Cpacks --- ...curity-Best-Practices-for-AutoScaling.yaml | 80 +++++++++++ ...ecurity-Best-Practices-for-CloudFront.yaml | 108 +++++++++++++++ .../Security-Best-Practices-for-ECS.yaml | 129 ++++++++++++++++++ .../Security-Best-Practices-for-EFS.yaml | 43 ++++++ ...y-Best-Practices-for-Network-Firewall.yaml | 79 +++++++++++ ...ty-Best-Practices-for-Secrets-Manager.yaml | 82 +++++++++++ 6 files changed, 521 insertions(+) create mode 100644 aws-config-conformance-packs/Security-Best-Practices-for-AutoScaling.yaml create mode 100644 aws-config-conformance-packs/Security-Best-Practices-for-CloudFront.yaml create mode 100644 aws-config-conformance-packs/Security-Best-Practices-for-ECS.yaml create mode 100644 aws-config-conformance-packs/Security-Best-Practices-for-EFS.yaml create mode 100644 aws-config-conformance-packs/Security-Best-Practices-for-Network-Firewall.yaml create mode 100644 aws-config-conformance-packs/Security-Best-Practices-for-Secrets-Manager.yaml diff --git a/aws-config-conformance-packs/Security-Best-Practices-for-AutoScaling.yaml b/aws-config-conformance-packs/Security-Best-Practices-for-AutoScaling.yaml new file mode 100644 index 00000000..5f57c032 --- /dev/null +++ b/aws-config-conformance-packs/Security-Best-Practices-for-AutoScaling.yaml @@ -0,0 +1,80 @@ +################################################################################## +# +# Conformance Pack: +# Operational Best Practices for +# +# This conformance pack helps verify compliance with requirements. +# +################################################################################## + +Resources: + AutoscalingCapacityRebalancing: + Properties: + ConfigRuleName: autoscaling-capacity-rebalancing + Scope: + ComplianceResourceTypes: + - AWS::AutoScaling::AutoScalingGroup + Source: + Owner: AWS + SourceIdentifier: AUTOSCALING_CAPACITY_REBALANCING + Type: AWS::Config::ConfigRule + AutoscalingGroupElbHealthcheckRequired: + Properties: + ConfigRuleName: autoscaling-group-elb-healthcheck-required + Scope: + ComplianceResourceTypes: + - AWS::AutoScaling::AutoScalingGroup + Source: + Owner: AWS + SourceIdentifier: AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED + Type: AWS::Config::ConfigRule + AutoscalingLaunchConfigHopLimit: + Properties: + ConfigRuleName: autoscaling-launch-config-hop-limit + Scope: + ComplianceResourceTypes: + - AWS::AutoScaling::LaunchConfiguration + Source: + Owner: AWS + SourceIdentifier: AUTOSCALING_LAUNCH_CONFIG_HOP_LIMIT + Type: AWS::Config::ConfigRule + AutoscalingLaunchConfigPublicIpDisabled: + Properties: + ConfigRuleName: autoscaling-launch-config-public-ip-disabled + Scope: + ComplianceResourceTypes: + - AWS::AutoScaling::LaunchConfiguration + Source: + Owner: AWS + SourceIdentifier: AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED + Type: AWS::Config::ConfigRule + AutoscalingLaunchconfigRequiresImdsv2: + Properties: + ConfigRuleName: autoscaling-launchconfig-requires-imdsv2 + Scope: + ComplianceResourceTypes: + - AWS::AutoScaling::LaunchConfiguration + Source: + Owner: AWS + SourceIdentifier: AUTOSCALING_LAUNCHCONFIG_REQUIRES_IMDSV2 + Type: AWS::Config::ConfigRule + AutoscalingMultipleAz: + Properties: + ConfigRuleName: autoscaling-multiple-az + Scope: + ComplianceResourceTypes: + - AWS::AutoScaling::AutoScalingGroup + Source: + Owner: AWS + SourceIdentifier: AUTOSCALING_MULTIPLE_AZ + Type: AWS::Config::ConfigRule + AutoscalingMultipleInstanceTypes: + Properties: + ConfigRuleName: autoscaling-multiple-instance-types + Scope: + ComplianceResourceTypes: + - AWS::AutoScaling::AutoScalingGroup + Source: + Owner: AWS + SourceIdentifier: AUTOSCALING_MULTIPLE_INSTANCE_TYPES + Type: AWS::Config::ConfigRule diff --git a/aws-config-conformance-packs/Security-Best-Practices-for-CloudFront.yaml b/aws-config-conformance-packs/Security-Best-Practices-for-CloudFront.yaml new file mode 100644 index 00000000..b9a36021 --- /dev/null +++ b/aws-config-conformance-packs/Security-Best-Practices-for-CloudFront.yaml @@ -0,0 +1,108 @@ +################################################################################## +# +# Conformance Pack: +# Operational Best Practices for CloudFront +# +################################################################################## + +Resources: + CloudfrontAccesslogsEnabled: + Properties: + ConfigRuleName: cloudfront-accesslogs-enabled + Scope: + ComplianceResourceTypes: + - AWS::CloudFront::Distribution + Source: + Owner: AWS + SourceIdentifier: CLOUDFRONT_ACCESSLOGS_ENABLED + Type: AWS::Config::ConfigRule + CloudfrontAssociatedWithWaf: + Properties: + ConfigRuleName: cloudfront-associated-with-waf + Scope: + ComplianceResourceTypes: + - AWS::CloudFront::Distribution + Source: + Owner: AWS + SourceIdentifier: CLOUDFRONT_ASSOCIATED_WITH_WAF + Type: AWS::Config::ConfigRule + CloudfrontCustomSslCertificate: + Properties: + ConfigRuleName: cloudfront-custom-ssl-certificate + Scope: + ComplianceResourceTypes: + - AWS::CloudFront::Distribution + Source: + Owner: AWS + SourceIdentifier: CLOUDFRONT_CUSTOM_SSL_CERTIFICATE + Type: AWS::Config::ConfigRule + CloudfrontDefaultRootObjectConfigured: + Properties: + ConfigRuleName: cloudfront-default-root-object-configured + Scope: + ComplianceResourceTypes: + - AWS::CloudFront::Distribution + Source: + Owner: AWS + SourceIdentifier: CLOUDFRONT_DEFAULT_ROOT_OBJECT_CONFIGURED + Type: AWS::Config::ConfigRule + CloudfrontNoDeprecatedSslProtocols: + Properties: + ConfigRuleName: cloudfront-no-deprecated-ssl-protocols + Scope: + ComplianceResourceTypes: + - AWS::CloudFront::Distribution + Source: + Owner: AWS + SourceIdentifier: CLOUDFRONT_NO_DEPRECATED_SSL_PROTOCOLS + Type: AWS::Config::ConfigRule + CloudfrontOriginAccessIdentityEnabled: + Properties: + ConfigRuleName: cloudfront-origin-access-identity-enabled + Scope: + ComplianceResourceTypes: + - AWS::CloudFront::Distribution + Source: + Owner: AWS + SourceIdentifier: CLOUDFRONT_ORIGIN_ACCESS_IDENTITY_ENABLED + Type: AWS::Config::ConfigRule + CloudfrontOriginFailoverEnabled: + Properties: + ConfigRuleName: cloudfront-origin-failover-enabled + Scope: + ComplianceResourceTypes: + - AWS::CloudFront::Distribution + Source: + Owner: AWS + SourceIdentifier: CLOUDFRONT_ORIGIN_FAILOVER_ENABLED + Type: AWS::Config::ConfigRule + CloudfrontSniEnabled: + Properties: + ConfigRuleName: cloudfront-sni-enabled + Scope: + ComplianceResourceTypes: + - AWS::CloudFront::Distribution + Source: + Owner: AWS + SourceIdentifier: CLOUDFRONT_SNI_ENABLED + Type: AWS::Config::ConfigRule + CloudfrontTrafficToOriginEncrypted: + Properties: + ConfigRuleName: cloudfront-traffic-to-origin-encrypted + Scope: + ComplianceResourceTypes: + - AWS::CloudFront::Distribution + Source: + Owner: AWS + SourceIdentifier: CLOUDFRONT_TRAFFIC_TO_ORIGIN_ENCRYPTED + Type: AWS::Config::ConfigRule + CloudfrontViewerPolicyHttps: + Properties: + ConfigRuleName: cloudfront-viewer-policy-https + Scope: + ComplianceResourceTypes: + - AWS::CloudFront::Distribution + Source: + Owner: AWS + SourceIdentifier: CLOUDFRONT_VIEWER_POLICY_HTTPS + Type: AWS::Config::ConfigRule diff --git a/aws-config-conformance-packs/Security-Best-Practices-for-ECS.yaml b/aws-config-conformance-packs/Security-Best-Practices-for-ECS.yaml new file mode 100644 index 00000000..3aff5286 --- /dev/null +++ b/aws-config-conformance-packs/Security-Best-Practices-for-ECS.yaml @@ -0,0 +1,129 @@ +################################################################################## +# +# Conformance Pack: +# Operational Best Practices for ECS +# +# +################################################################################## + +Parameters: + EcsNoEnvironmentSecretsParamSecretKeys: + Default: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, ECS_ENGINE_AUTH_DATA + Type: String + EcsTaskDefinitionUserForHostModeCheckParamSkipInactiveTaskDefinitions: + Default: 'true' + Type: String +Resources: + EcsContainerInsightsEnabled: + Properties: + ConfigRuleName: ecs-container-insights-enabled + Scope: + ComplianceResourceTypes: + - AWS::ECS::Cluster + Source: + Owner: AWS + SourceIdentifier: ECS_CONTAINER_INSIGHTS_ENABLED + Type: AWS::Config::ConfigRule + EcsContainersNonprivileged: + Properties: + ConfigRuleName: ecs-containers-nonprivileged + Scope: + ComplianceResourceTypes: + - AWS::ECS::TaskDefinition + Source: + Owner: AWS + SourceIdentifier: ECS_CONTAINERS_NONPRIVILEGED + Type: AWS::Config::ConfigRule + EcsContainersReadonlyAccess: + Properties: + ConfigRuleName: ecs-containers-readonly-access + Scope: + ComplianceResourceTypes: + - AWS::ECS::TaskDefinition + Source: + Owner: AWS + SourceIdentifier: ECS_CONTAINERS_READONLY_ACCESS + Type: AWS::Config::ConfigRule + EcsFargateLatestPlatformVersion: + Properties: + ConfigRuleName: ecs-fargate-latest-platform-version + Scope: + ComplianceResourceTypes: + - AWS::ECS::Service + Source: + Owner: AWS + SourceIdentifier: ECS_FARGATE_LATEST_PLATFORM_VERSION + Type: AWS::Config::ConfigRule + EcsNoEnvironmentSecrets: + Properties: + ConfigRuleName: ecs-no-environment-secrets + InputParameters: + secretKeys: + Fn::If: + - ecsNoEnvironmentSecretsParamSecretKeys + - Ref: EcsNoEnvironmentSecretsParamSecretKeys + - Ref: AWS::NoValue + Scope: + ComplianceResourceTypes: + - AWS::ECS::TaskDefinition + Source: + Owner: AWS + SourceIdentifier: ECS_NO_ENVIRONMENT_SECRETS + Type: AWS::Config::ConfigRule + EcsTaskDefinitionMemoryHardLimit: + Properties: + ConfigRuleName: ecs-task-definition-memory-hard-limit + Scope: + ComplianceResourceTypes: + - AWS::ECS::TaskDefinition + Source: + Owner: AWS + SourceIdentifier: ECS_TASK_DEFINITION_MEMORY_HARD_LIMIT + Type: AWS::Config::ConfigRule + EcsTaskDefinitionNonrootUser: + Properties: + ConfigRuleName: ecs-task-definition-nonroot-user + Scope: + ComplianceResourceTypes: + - AWS::ECS::TaskDefinition + Source: + Owner: AWS + SourceIdentifier: ECS_TASK_DEFINITION_NONROOT_USER + Type: AWS::Config::ConfigRule + EcsTaskDefinitionPidModeCheck: + Properties: + ConfigRuleName: ecs-task-definition-pid-mode-check + Scope: + ComplianceResourceTypes: + - AWS::ECS::TaskDefinition + Source: + Owner: AWS + SourceIdentifier: ECS_TASK_DEFINITION_PID_MODE_CHECK + Type: AWS::Config::ConfigRule + EcsTaskDefinitionUserForHostModeCheck: + Properties: + ConfigRuleName: ecs-task-definition-user-for-host-mode-check + InputParameters: + SkipInactiveTaskDefinitions: + Fn::If: + - ecsTaskDefinitionUserForHostModeCheckParamSkipInactiveTaskDefinitions + - Ref: EcsTaskDefinitionUserForHostModeCheckParamSkipInactiveTaskDefinitions + - Ref: AWS::NoValue + Scope: + ComplianceResourceTypes: + - AWS::ECS::TaskDefinition + Source: + Owner: AWS + SourceIdentifier: ECS_TASK_DEFINITION_USER_FOR_HOST_MODE_CHECK + Type: AWS::Config::ConfigRule +Conditions: + ecsNoEnvironmentSecretsParamSecretKeys: + Fn::Not: + - Fn::Equals: + - '' + - Ref: EcsNoEnvironmentSecretsParamSecretKeys + ecsTaskDefinitionUserForHostModeCheckParamSkipInactiveTaskDefinitions: + Fn::Not: + - Fn::Equals: + - '' + - Ref: EcsTaskDefinitionUserForHostModeCheckParamSkipInactiveTaskDefinitions diff --git a/aws-config-conformance-packs/Security-Best-Practices-for-EFS.yaml b/aws-config-conformance-packs/Security-Best-Practices-for-EFS.yaml new file mode 100644 index 00000000..fa3627a2 --- /dev/null +++ b/aws-config-conformance-packs/Security-Best-Practices-for-EFS.yaml @@ -0,0 +1,43 @@ +################################################################################## +# +# Conformance Pack: +# Operational Best Practices for EFS +# +# +################################################################################## + +Resources: + EfsAccessPointEnforceRootDirectory: + Properties: + ConfigRuleName: efs-access-point-enforce-root-directory + Scope: + ComplianceResourceTypes: + - AWS::EFS::AccessPoint + Source: + Owner: AWS + SourceIdentifier: EFS_ACCESS_POINT_ENFORCE_ROOT_DIRECTORY + Type: AWS::Config::ConfigRule + EfsAccessPointEnforceUserIdentity: + Properties: + ConfigRuleName: efs-access-point-enforce-user-identity + Scope: + ComplianceResourceTypes: + - AWS::EFS::AccessPoint + Source: + Owner: AWS + SourceIdentifier: EFS_ACCESS_POINT_ENFORCE_USER_IDENTITY + Type: AWS::Config::ConfigRule + EfsEncryptedCheck: + Properties: + ConfigRuleName: efs-encrypted-check + Source: + Owner: AWS + SourceIdentifier: EFS_ENCRYPTED_CHECK + Type: AWS::Config::ConfigRule + EfsInBackupPlan: + Properties: + ConfigRuleName: efs-in-backup-plan + Source: + Owner: AWS + SourceIdentifier: EFS_IN_BACKUP_PLAN + Type: AWS::Config::ConfigRule diff --git a/aws-config-conformance-packs/Security-Best-Practices-for-Network-Firewall.yaml b/aws-config-conformance-packs/Security-Best-Practices-for-Network-Firewall.yaml new file mode 100644 index 00000000..4dbceea2 --- /dev/null +++ b/aws-config-conformance-packs/Security-Best-Practices-for-Network-Firewall.yaml @@ -0,0 +1,79 @@ +################################################################################## +# +# Conformance Pack: +# Operational Best Practices for Network Firewall +# +# +################################################################################## + +Parameters: + NetfwPolicyDefaultActionFragmentPacketsParamStatelessFragmentDefaultActions: + Default: aws:drop,aws:forward_to_sfe + Type: String + NetfwPolicyDefaultActionFullPacketsParamStatelessDefaultActions: + Default: aws:drop,aws:forward_to_sfe + Type: String +Resources: + NetfwPolicyDefaultActionFragmentPackets: + Properties: + ConfigRuleName: netfw-policy-default-action-fragment-packets + InputParameters: + statelessFragmentDefaultActions: + Fn::If: + - netfwPolicyDefaultActionFragmentPacketsParamStatelessFragmentDefaultActions + - Ref: NetfwPolicyDefaultActionFragmentPacketsParamStatelessFragmentDefaultActions + - Ref: AWS::NoValue + Scope: + ComplianceResourceTypes: + - AWS::NetworkFirewall::FirewallPolicy + Source: + Owner: AWS + SourceIdentifier: NETFW_POLICY_DEFAULT_ACTION_FRAGMENT_PACKETS + Type: AWS::Config::ConfigRule + NetfwPolicyDefaultActionFullPackets: + Properties: + ConfigRuleName: netfw-policy-default-action-full-packets + InputParameters: + statelessDefaultActions: + Fn::If: + - netfwPolicyDefaultActionFullPacketsParamStatelessDefaultActions + - Ref: NetfwPolicyDefaultActionFullPacketsParamStatelessDefaultActions + - Ref: AWS::NoValue + Scope: + ComplianceResourceTypes: + - AWS::NetworkFirewall::FirewallPolicy + Source: + Owner: AWS + SourceIdentifier: NETFW_POLICY_DEFAULT_ACTION_FULL_PACKETS + Type: AWS::Config::ConfigRule + NetfwPolicyRuleGroupAssociated: + Properties: + ConfigRuleName: netfw-policy-rule-group-associated + Scope: + ComplianceResourceTypes: + - AWS::NetworkFirewall::FirewallPolicy + Source: + Owner: AWS + SourceIdentifier: NETFW_POLICY_RULE_GROUP_ASSOCIATED + Type: AWS::Config::ConfigRule + NetfwStatelessRuleGroupNotEmpty: + Properties: + ConfigRuleName: netfw-stateless-rule-group-not-empty + Scope: + ComplianceResourceTypes: + - AWS::NetworkFirewall::RuleGroup + Source: + Owner: AWS + SourceIdentifier: NETFW_STATELESS_RULE_GROUP_NOT_EMPTY + Type: AWS::Config::ConfigRule +Conditions: + netfwPolicyDefaultActionFragmentPacketsParamStatelessFragmentDefaultActions: + Fn::Not: + - Fn::Equals: + - '' + - Ref: NetfwPolicyDefaultActionFragmentPacketsParamStatelessFragmentDefaultActions + netfwPolicyDefaultActionFullPacketsParamStatelessDefaultActions: + Fn::Not: + - Fn::Equals: + - '' + - Ref: NetfwPolicyDefaultActionFullPacketsParamStatelessDefaultActions diff --git a/aws-config-conformance-packs/Security-Best-Practices-for-Secrets-Manager.yaml b/aws-config-conformance-packs/Security-Best-Practices-for-Secrets-Manager.yaml new file mode 100644 index 00000000..030bd16e --- /dev/null +++ b/aws-config-conformance-packs/Security-Best-Practices-for-Secrets-Manager.yaml @@ -0,0 +1,82 @@ +################################################################################## +# +# Conformance Pack: +# Operational Best Practices for Secrets Manager +# +################################################################################## + +Parameters: + SecretsmanagerSecretPeriodicRotationParamMaxDaysSinceRotation: + Default: '90' + Type: String + SecretsmanagerSecretUnusedParamUnusedForDays: + Default: '90' + Type: String +Resources: + SecretsmanagerRotationEnabledCheck: + Properties: + ConfigRuleName: secretsmanager-rotation-enabled-check + Scope: + ComplianceResourceTypes: + - AWS::SecretsManager::Secret + Source: + Owner: AWS + SourceIdentifier: SECRETSMANAGER_ROTATION_ENABLED_CHECK + Type: AWS::Config::ConfigRule + SecretsmanagerScheduledRotationSuccessCheck: + Properties: + ConfigRuleName: secretsmanager-scheduled-rotation-success-check + Scope: + ComplianceResourceTypes: + - AWS::SecretsManager::Secret + Source: + Owner: AWS + SourceIdentifier: SECRETSMANAGER_SCHEDULED_ROTATION_SUCCESS_CHECK + Type: AWS::Config::ConfigRule + SecretsmanagerSecretPeriodicRotation: + Properties: + ConfigRuleName: secretsmanager-secret-periodic-rotation + InputParameters: + maxDaysSinceRotation: + Fn::If: + - secretsmanagerSecretPeriodicRotationParamMaxDaysSinceRotation + - Ref: SecretsmanagerSecretPeriodicRotationParamMaxDaysSinceRotation + - Ref: AWS::NoValue + Source: + Owner: AWS + SourceIdentifier: SECRETSMANAGER_SECRET_PERIODIC_ROTATION + Type: AWS::Config::ConfigRule + SecretsmanagerSecretUnused: + Properties: + ConfigRuleName: secretsmanager-secret-unused + InputParameters: + unusedForDays: + Fn::If: + - secretsmanagerSecretUnusedParamUnusedForDays + - Ref: SecretsmanagerSecretUnusedParamUnusedForDays + - Ref: AWS::NoValue + Source: + Owner: AWS + SourceIdentifier: SECRETSMANAGER_SECRET_UNUSED + Type: AWS::Config::ConfigRule + SecretsmanagerUsingCmk: + Properties: + ConfigRuleName: secretsmanager-using-cmk + Scope: + ComplianceResourceTypes: + - AWS::SecretsManager::Secret + Source: + Owner: AWS + SourceIdentifier: SECRETSMANAGER_USING_CMK + Type: AWS::Config::ConfigRule +Conditions: + secretsmanagerSecretPeriodicRotationParamMaxDaysSinceRotation: + Fn::Not: + - Fn::Equals: + - '' + - Ref: SecretsmanagerSecretPeriodicRotationParamMaxDaysSinceRotation + secretsmanagerSecretUnusedParamUnusedForDays: + Fn::Not: + - Fn::Equals: + - '' + - Ref: SecretsmanagerSecretUnusedParamUnusedForDays