opengovern · artaasadi · Jan 25, 2025 · Jan 24, 2025 · Jan 24, 2025 · Jan 24, 2025
diff --git a/compliance/controls/aws/aws_account_alternate_contact_security_registered.yaml b/compliance/controls/aws/aws_account_alternate_contact_security_registered.yaml
@@ -1,57 +1,58 @@
 id: aws_account_alternate_contact_security_registered
 title: Security contact information should be provided for an AWS account
+type: control
 description: This control checks if an AWS Web Services (AWS) account has security contact information. The control fails if security contact information is not provided for the account.
 integration_type:
-  - aws_cloud_account
+- aws_cloud_account
 parameters: []
 policy:
-    language: sql
-    primary_resource: aws_account
-    definition: |
-        WITH alternate_security_contact AS (
-          SELECT
-            name,
-            account_id
-          FROM
-            aws_account_alternate_contact
-          WHERE
-            contact_type = 'SECURITY'
-        )
-        SELECT
-          arn AS resource,
-          platform_integration_id AS platform_integration_id,
-          platform_resource_id AS platform_resource_id,
-          CASE
-            WHEN a.partition = 'aws-us-gov' THEN 'info'
-            WHEN c.name IS NOT NULL THEN 'ok'
-            ELSE 'alarm'
-          END AS status,
-          CASE
-            WHEN a.partition = 'aws-us-gov' THEN a.title || ' in GovCloud, manual verification required.'
-            WHEN c.name IS NOT NULL THEN a.title || ' has security contact ' || c.name || ' registered.'
-            ELSE a.title || ' security contact not registered.'
-          END AS reason,
-          a.account_id
-        FROM
-          aws_account AS a
-        LEFT JOIN alternate_security_contact AS c ON c.account_id = a.account_id;
+  language: sql
+  primary_resource: aws_account
+  definition: |
+    WITH alternate_security_contact AS (
+      SELECT
+        name,
+        account_id
+      FROM
+        aws_account_alternate_contact
+      WHERE
+        contact_type = 'SECURITY'
+    )
+    SELECT
+      arn AS resource,
+      platform_integration_id AS platform_integration_id,
+      platform_resource_id AS platform_resource_id,
+      CASE
+        WHEN a.partition = 'aws-us-gov' THEN 'info'
+        WHEN c.name IS NOT NULL THEN 'ok'
+        ELSE 'alarm'
+      END AS status,
+      CASE
+        WHEN a.partition = 'aws-us-gov' THEN a.title || ' in GovCloud, manual verification required.'
+        WHEN c.name IS NOT NULL THEN a.title || ' has security contact ' || c.name || ' registered.'
+        ELSE a.title || ' security contact not registered.'
+      END AS reason,
+      a.account_id
+    FROM
+      aws_account AS a
+    LEFT JOIN alternate_security_contact AS c ON c.account_id = a.account_id;
 severity: low
 tags:
-    category:
-      - Compliance
-    cis:
-      - 'true'
-    cis_item_id:
-      - '1.18'
-    cis_level:
-      - '1'
-    cis_section_id:
-      - '1'
-    cis_type:
-      - not_scored
-    cis_version:
-      - v1.2.0
-    plugin:
-      - aws
-    service:
-      - AWS/IAM
+  category:
+  - Compliance
+  cis:
+  - "true"
+  cis_item_id:
+  - "1.18"
+  cis_level:
+  - "1"
+  cis_section_id:
+  - "1"
+  cis_type:
+  - not_scored
+  cis_version:
+  - v1.2.0
+  plugin:
+  - aws
+  service:
+  - AWS/IAM
diff --git a/compliance/controls/aws/aws_account_part_of_organizations.yaml b/compliance/controls/aws/aws_account_part_of_organizations.yaml
@@ -1,42 +1,43 @@
 id: aws_account_part_of_organizations
 title: AWS account should be part of AWS Organizations
+type: control
 description: Ensure that an AWS account is part of AWS Organizations. The rule is non-compliant if an AWS account is not part of AWS Organizations, or AWS Organizations' master account ID does not match rule parameter MasterAccountId.
 integration_type:
-  - aws_cloud_account
+- aws_cloud_account
 parameters: []
 policy:
-    language: sql
-    primary_resource: aws_account
-    definition: |
-        SELECT
-          arn AS resource,
-          platform_integration_id AS platform_integration_id,
-          platform_resource_id AS platform_resource_id,
-          CASE
-            WHEN organization_id IS NOT NULL THEN 'ok'
-            ELSE 'alarm'
-          END AS status,
-          CASE
-            WHEN organization_id IS NOT NULL THEN title || ' is part of organization(s).'
-            ELSE title || ' is not part of organization.'
-          END AS reason,
-          region,
-          account_id
-        FROM
-          aws_account;
+  language: sql
+  primary_resource: aws_account
+  definition: |
+    SELECT
+      arn AS resource,
+      platform_integration_id AS platform_integration_id,
+      platform_resource_id AS platform_resource_id,
+      CASE
+        WHEN organization_id IS NOT NULL THEN 'ok'
+        ELSE 'alarm'
+      END AS status,
+      CASE
+        WHEN organization_id IS NOT NULL THEN title || ' is part of organization(s).'
+        ELSE title || ' is not part of organization.'
+      END AS reason,
+      region,
+      account_id
+    FROM
+      aws_account;
 severity: medium
 tags:
-    category:
-      - Compliance
-    cis_controls_v8_ig1:
-      - 'true'
-    gxp_21_cfr_part_11:
-      - 'true'
-    nist_800_53_rev_5:
-      - 'true'
-    nist_csf:
-      - 'true'
-    plugin:
-      - aws
-    service:
-      - AWS/IAM
+  category:
+  - Compliance
+  cis_controls_v8_ig1:
+  - "true"
+  gxp_21_cfr_part_11:
+  - "true"
+  nist_800_53_rev_5:
+  - "true"
+  nist_csf:
+  - "true"
+  plugin:
+  - aws
+  service:
+  - AWS/IAM
diff --git a/compliance/controls/aws/aws_acm_certificate_expires_30_days.yaml b/compliance/controls/aws/aws_acm_certificate_expires_30_days.yaml
@@ -1,64 +1,65 @@
 id: aws_acm_certificate_expires_30_days
 title: ACM certificates should not expire within 30 days
+type: control
 description: Ensure network integrity is protected by ensuring X509 certificates are issued by AWS ACM.
 integration_type:
-  - aws_cloud_account
+- aws_cloud_account
 parameters: []
 policy:
-    language: sql
-    primary_resource: aws_acm_certificate
-    definition: |
-        SELECT
-          certificate_arn AS resource,
-          platform_integration_id AS platform_integration_id,
-          platform_resource_id AS platform_resource_id,
-          CASE
-            WHEN renewal_eligibility = 'INELIGIBLE' THEN 'skip'
-            WHEN DATE(not_after) - DATE(current_date) >= 30 THEN 'ok'
-            ELSE 'alarm'
-          END AS status,
-          CASE
-            WHEN renewal_eligibility = 'INELIGIBLE' THEN title || ' not eligible for renewal.'
-            ELSE title || ' expires ' || TO_CHAR(not_after, 'DD-Mon-YYYY') ||
-            ' (' || EXTRACT(DAY FROM not_after - current_date) || ' days).'
-          END AS reason,
-          region,
-          account_id
-        FROM
-          aws_acm_certificate;
+  language: sql
+  primary_resource: aws_acm_certificate
+  definition: |
+    SELECT
+      certificate_arn AS resource,
+      platform_integration_id AS platform_integration_id,
+      platform_resource_id AS platform_resource_id,
+      CASE
+        WHEN renewal_eligibility = 'INELIGIBLE' THEN 'skip'
+        WHEN DATE(not_after) - DATE(current_date) >= 30 THEN 'ok'
+        ELSE 'alarm'
+      END AS status,
+      CASE
+        WHEN renewal_eligibility = 'INELIGIBLE' THEN title || ' not eligible for renewal.'
+        ELSE title || ' expires ' || TO_CHAR(not_after, 'DD-Mon-YYYY') ||
+        ' (' || EXTRACT(DAY FROM not_after - current_date) || ' days).'
+      END AS reason,
+      region,
+      account_id
+    FROM
+      aws_acm_certificate;
 severity: high
 tags:
-    category:
-      - Compliance
-    cisa_cyber_essentials:
-      - 'true'
-    fedramp_low_rev_4:
-      - 'true'
-    fedramp_moderate_rev_4:
-      - 'true'
-    ffiec:
-      - 'true'
-    gdpr:
-      - 'true'
-    hipaa_final_omnibus_security_rule_2013:
-      - 'true'
-    hipaa_security_rule_2003:
-      - 'true'
-    nist_800_53_rev_4:
-      - 'true'
-    nist_800_53_rev_5:
-      - 'true'
-    nist_800_171_rev_2:
-      - 'true'
-    nist_csf:
-      - 'true'
-    pci_dss_v321:
-      - 'true'
-    plugin:
-      - aws
-    rbi_cyber_security:
-      - 'true'
-    service:
-      - AWS/ACM
-    soc_2:
-      - 'true'
+  category:
+  - Compliance
+  cisa_cyber_essentials:
+  - "true"
+  fedramp_low_rev_4:
+  - "true"
+  fedramp_moderate_rev_4:
+  - "true"
+  ffiec:
+  - "true"
+  gdpr:
+  - "true"
+  hipaa_final_omnibus_security_rule_2013:
+  - "true"
+  hipaa_security_rule_2003:
+  - "true"
+  nist_800_171_rev_2:
+  - "true"
+  nist_800_53_rev_4:
+  - "true"
+  nist_800_53_rev_5:
+  - "true"
+  nist_csf:
+  - "true"
+  pci_dss_v321:
+  - "true"
+  plugin:
+  - aws
+  rbi_cyber_security:
+  - "true"
+  service:
+  - AWS/ACM
+  soc_2:
+  - "true"
diff --git a/compliance/controls/aws/aws_acm_certificate_no_failed_certificate.yaml b/compliance/controls/aws/aws_acm_certificate_no_failed_certificate.yaml
@@ -1,23 +1,24 @@
 id: aws_acm_certificate_no_failed_certificate
 title: Ensure that ACM certificates are not in failed state
+type: control
 description: This control ensures that ACM certificates are not in failed state.
 integration_type:
-  - aws_cloud_account
+- aws_cloud_account
 parameters: []
 policy:
-    language: sql
-    primary_resource: aws_acm_certificate
-    definition: |
-        SELECT
-          certificate_arn AS resource,
-          platform_integration_id AS platform_integration_id,
-          platform_resource_id AS platform_resource_id,
-          CASE
-            WHEN status IN ('VALIDATION_TIMED_OUT', 'FAILED') THEN 'alarm'
-            ELSE 'ok'
-          END AS status,
-          title || ' status is ' || status || '.' AS reason
-        FROM
-          aws_acm_certificate;
+  language: sql
+  primary_resource: aws_acm_certificate
+  definition: |
+    SELECT
+      certificate_arn AS resource,
+      platform_integration_id AS platform_integration_id,
+      platform_resource_id AS platform_resource_id,
+      CASE
+        WHEN status IN ('VALIDATION_TIMED_OUT', 'FAILED') THEN 'alarm'
+        ELSE 'ok'
+      END AS status,
+      title || ' status is ' || status || '.' AS reason
+    FROM
+      aws_acm_certificate;
 severity: low
 tags: {}
diff --git a/compliance/controls/aws/aws_acm_certificate_no_pending_validation_certificate.yaml b/compliance/controls/aws/aws_acm_certificate_no_pending_validation_certificate.yaml
@@ -1,23 +1,24 @@
 id: aws_acm_certificate_no_pending_validation_certificate
 title: Ensure that ACM certificates are not in pending validation state
+type: control
 description: This control ensures that ACM certificates are not in pending validation state. When certificates are not validated within 72 hours after the request is made, those certificates become invalid.
 integration_type:
-  - aws_cloud_account
+- aws_cloud_account
 parameters: []
 policy:
-    language: sql
-    primary_resource: aws_acm_certificate
-    definition: |
-        SELECT
-          certificate_arn AS resource,
-          platform_integration_id AS platform_integration_id,
-          platform_resource_id AS platform_resource_id,
-          CASE
-            WHEN status = 'PENDING_VALIDATION' THEN 'info'
-            ELSE 'ok'
-          END AS status,
-          title || ' status is ' || status || '.' AS reason
-        FROM
-          aws_acm_certificate;
+  language: sql
+  primary_resource: aws_acm_certificate
+  definition: |
+    SELECT
+      certificate_arn AS resource,
+      platform_integration_id AS platform_integration_id,
+      platform_resource_id AS platform_resource_id,
+      CASE
+        WHEN status = 'PENDING_VALIDATION' THEN 'info'
+        ELSE 'ok'
+      END AS status,
+      title || ' status is ' || status || '.' AS reason
+    FROM
+      aws_acm_certificate;
 severity: low
 tags: {}