/
section_1.sp
242 lines (210 loc) · 9.76 KB
/
section_1.sp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
locals {
cis_v100_1_common_tags = merge(local.cis_v100_common_tags, {
cis_section_id = "1"
})
}
benchmark "cis_v100_1" {
title = "1 Identity and Access Management"
documentation = file("./cis_v100/docs/cis_v100_1.md")
children = [
control.cis_v100_1_1,
control.cis_v100_1_2,
control.cis_v100_1_3,
control.cis_v100_1_4,
control.cis_v100_1_5,
control.cis_v100_1_6,
control.cis_v100_1_7,
control.cis_v100_1_8,
control.cis_v100_1_9,
control.cis_v100_1_10,
control.cis_v100_1_11,
control.cis_v100_1_12,
control.cis_v100_1_13,
control.cis_v100_1_14,
control.cis_v100_1_16
]
tags = merge(local.cis_v100_1_common_tags, {
service = "AliCloud/RAM"
type = "Benchmark"
})
}
control "cis_v100_1_1" {
title = "1.1 Avoid the use of the 'root' account"
description = "An Alibaba Cloud account can be viewed as a 'root' account. The 'root' account has full control permissions to all cloud products and resources under such account. It is highly recommended that the use of this account should be avoided."
query = query.ram_root_account_unused
documentation = file("./cis_v100/docs/cis_v100_1_1.md")
tags = merge(local.cis_v100_1_common_tags, {
cis_item_id = "1.1"
cis_level = "1"
cis_type = "manual"
service = "AliCloud/RAM"
})
}
control "cis_v100_1_2" {
title = "1.2 Ensure no root account access key exists"
description = "Access keys provide programmatic access to a given Alibaba Cloud account. It is recommended that all access keys associated with the root account be removed."
query = query.ram_root_account_no_access_keys
documentation = file("./cis_v100/docs/cis_v100_1_2.md")
tags = merge(local.cis_v100_1_common_tags, {
cis_item_id = "1.2"
cis_level = "1"
cis_type = "manual"
service = "AliCloud/RAM"
})
}
control "cis_v100_1_3" {
title = "1.3 Ensure MFA is enabled for the 'root' account"
description = "With MFA enabled, anytime the “root” account logs on to Alibaba Cloud, it will be prompted for username and password followed by an authentication code from the virtual MFA device.It is recommended that MFA be enabled for the 'root' user."
query = query.ram_root_account_mfa_enabled
documentation = file("./cis_v100/docs/cis_v100_1_3.md")
tags = merge(local.cis_v100_1_common_tags, {
cis_item_id = "1.3"
cis_level = "1"
cis_type = "manual"
service = "AliCloud/RAM"
})
}
control "cis_v100_1_4" {
title = "1.4 Ensure that multi-factor authentication is enabled for all RAM users that have a console password"
description = "Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user logs on to Alibaba Cloud, they will be prompted for their user name and password followed by an authentication code from their virtual MFA device. It is recommended that MFA be enabled for all users that have a console password."
query = query.ram_user_console_access_mfa_enabled
documentation = file("./cis_v100/docs/cis_v100_1_4.md")
tags = merge(local.cis_v100_1_common_tags, {
cis_item_id = "1.4"
cis_level = "1"
cis_type = "automated"
service = "AliCloud/RAM"
})
}
control "cis_v100_1_5" {
title = "1.5 Ensure users not logged on for 90 days or longer are disabled for console logon"
description = "Alibaba Cloud RAM users can logon to Alibaba Cloud console by using their user name and password. If a user has not logged on for 90 days or longer, it is recommended to disable the console access of the user."
query = query.ram_user_unused_90
documentation = file("./cis_v100/docs/cis_v100_1_5.md")
tags = merge(local.cis_v100_1_common_tags, {
cis_item_id = "1.5"
cis_level = "1"
cis_type = "automated"
service = "AliCloud/RAM"
})
}
control "cis_v100_1_6" {
title = "1.6 Ensure access keys are rotated every 90 days or less"
description = "An access key consists of an access key ID and a secret, which are used to sign programmatic requests that you make to Alibaba Cloud. RAM users need their own access keys to make programmatic calls to Alibaba Cloud from the Alibaba Cloud SDKs, CLIs, or direct HTTP/HTTPS calls using the APIs for individual Alibaba Cloud services. It is recommended that all access keys be regularly rotated."
query = query.ram_user_access_key_rotated_90
documentation = file("./cis_v100/docs/cis_v100_1_6.md")
tags = merge(local.cis_v100_1_common_tags, {
cis_item_id = "1.6"
cis_level = "1"
cis_type = "automated"
service = "AliCloud/RAM"
})
}
control "cis_v100_1_7" {
title = "1.7 Ensure RAM password policy requires at least one uppercase letter"
description = "RAM password policies can be used to ensure password complexity. It is recommended that the password policy require at least one uppercase letter."
query = query.ram_account_password_policy_one_uppercase_letter
documentation = file("./cis_v100/docs/cis_v100_1_7.md")
tags = merge(local.cis_v100_1_common_tags, {
cis_item_id = "1.7"
cis_level = "1"
cis_type = "automated"
service = "AliCloud/RAM"
})
}
control "cis_v100_1_8" {
title = "1.8 Ensure RAM password policy requires at least one lowercase letter"
description = "RAM password policies can be used to ensure password complexity. It is recommended that the password policy require at least one lowercase letter."
query = query.ram_account_password_policy_one_lowercase_letter
documentation = file("./cis_v100/docs/cis_v100_1_8.md")
tags = merge(local.cis_v100_1_common_tags, {
cis_item_id = "1.8"
cis_level = "1"
cis_type = "automated"
service = "AliCloud/RAM"
})
}
control "cis_v100_1_9" {
title = "1.9 Ensure RAM password policy require at least one symbol"
description = "RAM password policies can be used to ensure password complexity. It is recommended that the password policy require at least one symbol."
query = query.ram_account_password_policy_one_symbol
documentation = file("./cis_v100/docs/cis_v100_1_9.md")
tags = merge(local.cis_v100_1_common_tags, {
cis_item_id = "1.9"
cis_level = "1"
cis_type = "automated"
service = "AliCloud/RAM"
})
}
control "cis_v100_1_10" {
title = "1.10 Ensure RAM password policy require at least one number"
description = "RAM password policies can be used to ensure password complexity. It is recommended that the password policy require at least one number."
query = query.ram_account_password_policy_one_number
documentation = file("./cis_v100/docs/cis_v100_1_10.md")
tags = merge(local.cis_v100_1_common_tags, {
cis_item_id = "1.10"
cis_level = "1"
cis_type = "automated"
service = "AliCloud/RAM"
})
}
control "cis_v100_1_11" {
title = "1.11 Ensure RAM password policy requires minimum length of 14 or greater"
description = "RAM password policies can be used to ensure password complexity. It is recommended that the password policy require a minimum of 14 or greater characters for any password."
query = query.ram_account_password_policy_min_length_14
documentation = file("./cis_v100/docs/cis_v100_1_11.md")
tags = merge(local.cis_v100_1_common_tags, {
cis_item_id = "1.11"
cis_level = "1"
cis_type = "automated"
service = "AliCloud/RAM"
})
}
control "cis_v100_1_12" {
title = "1.12 Ensure RAM password policy prevents password reuse"
description = "It is recommended that the password policy prevent the reuse of passwords."
query = query.ram_account_password_policy_reuse_5
documentation = file("./cis_v100/docs/cis_v100_1_12.md")
tags = merge(local.cis_v100_1_common_tags, {
cis_item_id = "1.12"
cis_level = "1"
cis_type = "automated"
service = "AliCloud/RAM"
})
}
control "cis_v100_1_13" {
title = "1.13 Ensure RAM password policy expires passwords within 90 days or less"
description = "RAM password policies can require passwords to be expired after a given number of days. It is recommended that the password policy expire passwords after 90 days or less."
query = query.ram_password_policy_expire_90
documentation = file("./cis_v100/docs/cis_v100_1_13.md")
tags = merge(local.cis_v100_1_common_tags, {
cis_item_id = "1.13"
cis_level = "1"
cis_type = "automated"
service = "AliCloud/RAM"
})
}
control "cis_v100_1_14" {
title = "1.14 Ensure RAM password policy temporarily blocks logon after 5 incorrect logon attempts within an hour"
description = "RAM password policies can require passwords to be expired after a given number of days. It is recommended that the password policy expire passwords after 90 days or less."
query = query.ram_password_policy_max_login_attempts_5
documentation = file("./cis_v100/docs/cis_v100_1_14.md")
tags = merge(local.cis_v100_1_common_tags, {
cis_item_id = "1.14"
cis_level = "1"
cis_type = "automated"
service = "AliCloud/RAM"
})
}
control "cis_v100_1_16" {
title = "1.16 Ensure RAM policies are attached only to groups or roles"
description = "By default, RAM users, groups, and roles have no access to Alibaba Cloud resources. RAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that RAM policies be applied directly to groups and roles but not users."
query = query.ram_user_no_policies
documentation = file("./cis_v100/docs/cis_v100_1_16.md")
tags = merge(local.cis_v100_1_common_tags, {
cis_item_id = "1.16"
cis_level = "1"
cis_type = "automated"
service = "AliCloud/RAM"
})
}