Enhancement/Update AWS CIS Benchmark to 1.2.0

[prisas]

Changes:

• Creates the new AWS CIS 1.2.0 json ruleset, the required new findings and updates the findings to the new output format
  • Including 23 new rules
• Adds support for AWS CloudWatch Metric Filters
• Adds support for AWS Peering Connections
• Adds support for AWS Flow Logs (Subnet & VPC)

This PR is for issue #434

Phases:

• Create all the new AWS CIS 1.2.0 IAM rules and update the format of the old ones
• Create all the new AWS CIS 1.2.0 Logging rules and update the format of the old ones
• Create all the new AWS CIS 1.2.0 Monitoring rules and update the format of the old ones
• Create all the new AWS CIS 1.2.0 Networking rules and update the format of the old ones

TODOs for @j4v:

• Complete finding 1.14 of the cis-1-2-0.json ruleset
  This finding is already created in the rule iam-root-account-no-hardware-mfa.json. The resource iam/credentialreports.py is already set to fetch the VirtualMfaDevices and parse it. The parsing of the returned data should get the serial-number of the mfa device and also a boolean containing whether the MFA device is hardware based or not.
  To check if a MFA device is hardware or virtual, the serial-number should be checked. If the serial-number contains "arn", then the device is virtaul. Otherwise, the device is hardware.
  Once done, issue Add check for hardware based MFA for the root account in AWS #681 can be closed.
• Ensure there aren't any duplicate findings in pub/prop
  • Compare EC2 SG findings as there might be duplicates
• Ensure new findings are added to default ruleset (+prop) where appropriate
• Ensure new findings are added to detailed ruleset where appropriate
  • Review the arguments used in the detailed ruleset
    There are some findings that may have inappropriate arguments. For example, the iam-password-policy-minimum-length finding has the minimum length argument set to 8 when the CIS recommendation is 14.
• Review peering connection implementation/partial
• Review hidden flow logs implementation/partial
• Fix findings 3.1 to 3.14 of cis-1-2-0.json ruleset not returning an empty list when clicked.
  Further information of this issue can be found here: Enhancement/Update AWS CIS Benchmark to 1.2.0 #679 (comment)

[prisas]

Updated all the old CIS Benchmark 1.0.0 IAM rules to the new format and added all the new CIS Bechmark 1.2.0 IAM rules.

There are still a couple of issues to fix or check but it should all work with some minor tweaks.

[prisas]

I just pushed a new commit where I updated all the old CIS Benchmark 1.0.0 Logging rules to the new format and added all the new CIS Bechmark 1.2.0 Logging rules.

There are a few minor issues to be fixed before it works as intended.

[codecov-io]

Codecov Report

Merging #679 into develop will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff            @@
##           develop     #679   +/-   ##
========================================
  Coverage    65.03%   65.03%           
========================================
  Files           22       22           
  Lines         1530     1530           
========================================
  Hits           995      995           
  Misses         535      535           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7c576ae...33ae2b0. Read the comment docs.

[prisas]

Current errors to be fixed:

• iam_unusued_credentials_not_disabled. Check the error on condition 'olderThan' for values where last_used is NoneType.
• iam-no-support-role. Is this the correct way to check if the policy AWSSupportAccess (created by default) is attached to at least 1 user?
• iam-managed-policy-allows-full-privileges. Fix error: list index out of range.
• cloudtrail-no-logging. Need to add an extra verification (recommended by CIS): Condition to verify there is at least one Event Selector for a Trail with IncludeManagementEvents set to true and ReadWriteType set to All
• Recommendation 2.3. Should we create a new finding exclusive to CloudTrail S3 buckets or reuse the already created ones?
• Recommendation 2.6. Should be specific to CloudTrail S3 buckets, currently the cis 1.2.0 ruleset has a general bucket logging finding in this recommendation. Finish finding cloudtrail-s3-bucket-no-logging to verify the bucket has the principal cloudtrail.amazonaws.com and logging disabled.
• vpc-subnet-without-flow-log. Would like to make the flow log counter higllighted in red when there are 0 flow logs (services.vpc.regions.id.vpcs.id.subnets.html partial)
• Recommendation 4.4 ec2-routes-tables-full-peering. Complete finding conditions with the newly created object of VPCs route_tables. Also modify description to better explain the end user that this finding depends on their requirements for each instance

[x4v13r64]

Finally ready to merge! Thanks @paurisa for the great work on this.

[prisas]

No problem, it is a pleasure to contribute to this useful project.