Merge pull request #14 from aquasecurity/liamg-auto-add-tfsec-check-t…

…emplates

Auto generate templates for all existing rules

rules/aws/apigateway/enable_access_logging.go

@@ -0,0 +1,36 @@
+package apigateway
+
+import (
+	"github.com/aquasecurity/defsec/provider"
+	"github.com/aquasecurity/defsec/rules"
+	"github.com/aquasecurity/defsec/severity"
+	"github.com/aquasecurity/defsec/state"
+)
+
+var CheckEnableAccessLogging = rules.Register(
+	rules.Rule{
+		Provider:    provider.AWSProvider,
+		Service:     "api-gateway",
+		ShortCode:   "enable-access-logging",
+		Summary:     "API Gateway stages for V1 and V2 should have access logging enabled",
+		Impact:      "Logging provides vital information about access and usage",
+		Resolution:  "Enable logging for API Gateway stages",
+		Explanation: `API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.`,
+		Links: []string{ 
+			"https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html",
+		},
+		Severity: severity.Medium,
+	},
+	func(s *state.State) (results rules.Results) {
+		for _, x := range s.AWS.S3.Buckets {
+			if x.Encryption.Enabled.IsFalse() {
+				results.Add(
+					"",
+					x.Encryption.Enabled.Metadata(),
+					x.Encryption.Enabled.Value(),
+				)
+			}
+		}
+		return
+	},
+)

rules/aws/apigateway/enable_cache_encryption.go

@@ -0,0 +1,35 @@
+package apigateway
+
+import (
+	"github.com/aquasecurity/defsec/provider"
+	"github.com/aquasecurity/defsec/rules"
+	"github.com/aquasecurity/defsec/severity"
+	"github.com/aquasecurity/defsec/state"
+)
+
+var CheckEnableCacheEncryption = rules.Register(
+	rules.Rule{
+		Provider:    provider.AWSProvider,
+		Service:     "api-gateway",
+		ShortCode:   "enable-cache-encryption",
+		Summary:     "API Gateway must have cache enabled",
+		Impact:      "Data stored in the cache that is unencrypted may be vulnerable to compromise",
+		Resolution:  "Enable cache encryption",
+		Explanation: `Method cache encryption ensures that any sensitive data in the cache is not vulnerable to compromise in the event of interception`,
+		Links: []string{ 
+		},
+		Severity: severity.Medium,
+	},
+	func(s *state.State) (results rules.Results) {
+		for _, x := range s.AWS.S3.Buckets {
+			if x.Encryption.Enabled.IsFalse() {
+				results.Add(
+					"",
+					x.Encryption.Enabled.Metadata(),
+					x.Encryption.Enabled.Value(),
+				)
+			}
+		}
+		return
+	},
+)

rules/aws/apigateway/enable_tracing.go

@@ -0,0 +1,35 @@
+package apigateway
+
+import (
+	"github.com/aquasecurity/defsec/provider"
+	"github.com/aquasecurity/defsec/rules"
+	"github.com/aquasecurity/defsec/severity"
+	"github.com/aquasecurity/defsec/state"
+)
+
+var CheckEnableTracing = rules.Register(
+	rules.Rule{
+		Provider:    provider.AWSProvider,
+		Service:     "api-gateway",
+		ShortCode:   "enable-tracing",
+		Summary:     "API Gateway must have X-Ray tracing enabled",
+		Impact:      "WIthout full tracing enabled it is difficult to trace the flow of logs",
+		Resolution:  "Enable tracing",
+		Explanation: `X-Ray tracing enables end-to-end debugging and analysis of all API Gateway HTTP requests.`,
+		Links: []string{ 
+		},
+		Severity: severity.Low,
+	},
+	func(s *state.State) (results rules.Results) {
+		for _, x := range s.AWS.S3.Buckets {
+			if x.Encryption.Enabled.IsFalse() {
+				results.Add(
+					"",
+					x.Encryption.Enabled.Metadata(),
+					x.Encryption.Enabled.Value(),
+				)
+			}
+		}
+		return
+	},
+)

rules/aws/apigateway/no_public_access.go

@@ -0,0 +1,35 @@
+package apigateway
+
+import (
+	"github.com/aquasecurity/defsec/provider"
+	"github.com/aquasecurity/defsec/rules"
+	"github.com/aquasecurity/defsec/severity"
+	"github.com/aquasecurity/defsec/state"
+)
+
+var CheckNoPublicAccess = rules.Register(
+	rules.Rule{
+		Provider:    provider.AWSProvider,
+		Service:     "api-gateway",
+		ShortCode:   "no-public-access",
+		Summary:     "No public access to API Gateway methods",
+		Impact:      "API gateway methods can be unauthorized accessed",
+		Resolution:  "Use and authorization method or require API Key",
+		Explanation: `API Gateway methods should be protected by authorization or api key. OPTION verb calls can be used without authorization`,
+		Links: []string{ 
+		},
+		Severity: severity.Low,
+	},
+	func(s *state.State) (results rules.Results) {
+		for _, x := range s.AWS.S3.Buckets {
+			if x.Encryption.Enabled.IsFalse() {
+				results.Add(
+					"",
+					x.Encryption.Enabled.Metadata(),
+					x.Encryption.Enabled.Value(),
+				)
+			}
+		}
+		return
+	},
+)

rules/aws/apigateway/use_secure_tls_policy.go

@@ -0,0 +1,36 @@
+package apigateway
+
+import (
+	"github.com/aquasecurity/defsec/provider"
+	"github.com/aquasecurity/defsec/rules"
+	"github.com/aquasecurity/defsec/severity"
+	"github.com/aquasecurity/defsec/state"
+)
+
+var CheckUseSecureTlsPolicy = rules.Register(
+	rules.Rule{
+		Provider:    provider.AWSProvider,
+		Service:     "api-gateway",
+		ShortCode:   "use-secure-tls-policy",
+		Summary:     "API Gateway domain name uses outdated SSL/TLS protocols.",
+		Impact:      "Outdated SSL policies increase exposure to known vulnerabilities",
+		Resolution:  "Use the most modern TLS/SSL policies available",
+		Explanation: `You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.`,
+		Links: []string{ 
+			"https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html",
+		},
+		Severity: severity.High,
+	},
+	func(s *state.State) (results rules.Results) {
+		for _, x := range s.AWS.S3.Buckets {
+			if x.Encryption.Enabled.IsFalse() {
+				results.Add(
+					"",
+					x.Encryption.Enabled.Metadata(),
+					x.Encryption.Enabled.Value(),
+				)
+			}
+		}
+		return
+	},
+)

rules/aws/athena/enable_at_rest_encryption.go

@@ -0,0 +1,36 @@
+package athena
+
+import (
+	"github.com/aquasecurity/defsec/provider"
+	"github.com/aquasecurity/defsec/rules"
+	"github.com/aquasecurity/defsec/severity"
+	"github.com/aquasecurity/defsec/state"
+)
+
+var CheckEnableAtRestEncryption = rules.Register(
+	rules.Rule{
+		Provider:    provider.AWSProvider,
+		Service:     "athena",
+		ShortCode:   "enable-at-rest-encryption",
+		Summary:     "Athena databases and workgroup configurations are created unencrypted at rest by default, they should be encrypted",
+		Impact:      "Data can be read if the Athena Database is compromised",
+		Resolution:  "Enable encryption at rest for Athena databases and workgroup configurations",
+		Explanation: `Athena databases and workspace result sets should be encrypted at rests. These databases and query sets are generally derived from data in S3 buckets and should have the same level of at rest protection.`,
+		Links: []string{ 
+			"https://docs.aws.amazon.com/athena/latest/ug/encryption.html",
+		},
+		Severity: severity.High,
+	},
+	func(s *state.State) (results rules.Results) {
+		for _, x := range s.AWS.S3.Buckets {
+			if x.Encryption.Enabled.IsFalse() {
+				results.Add(
+					"",
+					x.Encryption.Enabled.Metadata(),
+					x.Encryption.Enabled.Value(),
+				)
+			}
+		}
+		return
+	},
+)

rules/aws/athena/no_encryption_override.go

@@ -0,0 +1,36 @@
+package athena
+
+import (
+	"github.com/aquasecurity/defsec/provider"
+	"github.com/aquasecurity/defsec/rules"
+	"github.com/aquasecurity/defsec/severity"
+	"github.com/aquasecurity/defsec/state"
+)
+
+var CheckNoEncryptionOverride = rules.Register(
+	rules.Rule{
+		Provider:    provider.AWSProvider,
+		Service:     "athena",
+		ShortCode:   "no-encryption-override",
+		Summary:     "Athena workgroups should enforce configuration to prevent client disabling encryption",
+		Impact:      "Clients can ignore encryption requirements",
+		Resolution:  "Enforce the configuration to prevent client overrides",
+		Explanation: `Athena workgroup configuration should be enforced to prevent client side changes to disable encryption settings.`,
+		Links: []string{ 
+			"https://docs.aws.amazon.com/athena/latest/ug/manage-queries-control-costs-with-workgroups.html",
+		},
+		Severity: severity.High,
+	},
+	func(s *state.State) (results rules.Results) {
+		for _, x := range s.AWS.S3.Buckets {
+			if x.Encryption.Enabled.IsFalse() {
+				results.Add(
+					"",
+					x.Encryption.Enabled.Metadata(),
+					x.Encryption.Enabled.Value(),
+				)
+			}
+		}
+		return
+	},
+)

rules/aws/autoscaling/enable_at_rest_encryption.go

@@ -0,0 +1,36 @@
+package autoscaling
+
+import (
+	"github.com/aquasecurity/defsec/provider"
+	"github.com/aquasecurity/defsec/rules"
+	"github.com/aquasecurity/defsec/severity"
+	"github.com/aquasecurity/defsec/state"
+)
+
+var CheckEnableAtRestEncryption = rules.Register(
+	rules.Rule{
+		Provider:    provider.AWSProvider,
+		Service:     "autoscaling",
+		ShortCode:   "enable-at-rest-encryption",
+		Summary:     "Launch configuration with unencrypted block device.",
+		Impact:      "The block device could be compromised and read from",
+		Resolution:  "Turn on encryption for all block devices",
+		Explanation: `Blocks devices should be encrypted to ensure sensitive data is held securely at rest.`,
+		Links: []string{ 
+			"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/RootDeviceStorage.html",
+		},
+		Severity: severity.High,
+	},
+	func(s *state.State) (results rules.Results) {
+		for _, x := range s.AWS.S3.Buckets {
+			if x.Encryption.Enabled.IsFalse() {
+				results.Add(
+					"",
+					x.Encryption.Enabled.Metadata(),
+					x.Encryption.Enabled.Value(),
+				)
+			}
+		}
+		return
+	},
+)

rules/aws/autoscaling/no_public_ip.go

@@ -0,0 +1,36 @@
+package autoscaling
+
+import (
+	"github.com/aquasecurity/defsec/provider"
+	"github.com/aquasecurity/defsec/rules"
+	"github.com/aquasecurity/defsec/severity"
+	"github.com/aquasecurity/defsec/state"
+)
+
+var CheckNoPublicIp = rules.Register(
+	rules.Rule{
+		Provider:    provider.AWSProvider,
+		Service:     "autoscaling",
+		ShortCode:   "no-public-ip",
+		Summary:     "A resource has a public IP address.",
+		Impact:      "The instance or configuration is publicly accessible",
+		Resolution:  "Set the instance to not be publicly accessible",
+		Explanation: `You should limit the provision of public IP addresses for resources. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application.`,
+		Links: []string{ 
+			"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html",
+		},
+		Severity: severity.High,
+	},
+	func(s *state.State) (results rules.Results) {
+		for _, x := range s.AWS.S3.Buckets {
+			if x.Encryption.Enabled.IsFalse() {
+				results.Add(
+					"",
+					x.Encryption.Enabled.Metadata(),
+					x.Encryption.Enabled.Value(),
+				)
+			}
+		}
+		return
+	},
+)

rules/aws/cloudfront/enable_logging.go

@@ -0,0 +1,36 @@
+package cloudfront
+
+import (
+	"github.com/aquasecurity/defsec/provider"
+	"github.com/aquasecurity/defsec/rules"
+	"github.com/aquasecurity/defsec/severity"
+	"github.com/aquasecurity/defsec/state"
+)
+
+var CheckEnableLogging = rules.Register(
+	rules.Rule{
+		Provider:    provider.AWSProvider,
+		Service:     "cloudfront",
+		ShortCode:   "enable-logging",
+		Summary:     "Cloudfront distribution should have Access Logging configured",
+		Impact:      "Logging provides vital information about access and usage",
+		Resolution:  "Enable logging for CloudFront distributions",
+		Explanation: `You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives`,
+		Links: []string{ 
+			"https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html",
+		},
+		Severity: severity.Medium,
+	},
+	func(s *state.State) (results rules.Results) {
+		for _, x := range s.AWS.S3.Buckets {
+			if x.Encryption.Enabled.IsFalse() {
+				results.Add(
+					"",
+					x.Encryption.Enabled.Metadata(),
+					x.Encryption.Enabled.Value(),
+				)
+			}
+		}
+		return
+	},
+)