/
section_1.sp
302 lines (262 loc) · 11.3 KB
/
section_1.sp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
locals {
cis_v100_1_common_tags = merge(local.cis_v100_common_tags, {
cis_section_id = "1"
})
}
benchmark "cis_v100_1" {
title = "1 IAM"
documentation = file("./cis_v100/docs/cis_v100_1.md")
children = [
control.cis_v100_1_1,
control.cis_v100_1_2,
control.cis_v100_1_3,
control.cis_v100_1_4,
control.cis_v100_1_5,
control.cis_v100_1_6,
control.cis_v100_1_7,
control.cis_v100_1_8,
control.cis_v100_1_9,
control.cis_v100_1_10,
control.cis_v100_1_11,
control.cis_v100_1_12,
control.cis_v100_1_13,
control.cis_v100_1_14,
control.cis_v100_1_15,
control.cis_v100_1_16,
control.cis_v100_1_17,
control.cis_v100_1_18,
control.cis_v100_1_19,
]
tags = merge(local.cis_v100_1_common_tags, {
service = "IBM/IAM"
type = "Benchmark"
})
}
control "cis_v100_1_1" {
title = "1.1 Monitor account owner for frequent, unexpected, or unauthorized logins"
description = "Monitor login activity of the account owner to prevent unauthorized usage of the privileged account."
documentation = file("./cis_v100/docs/cis_v100_1_1.md")
query = query.manual_control
tags = merge(local.cis_v100_1_common_tags, {
cis_item_id = "1.1"
cis_level = "1"
cis_type = "manual"
service = "IBM/IAM"
})
}
control "cis_v100_1_2" {
title = "1.2 Ensure API keys unused for 180 days are detected and optionally disabled"
description = "Monitor API key usage in your account and search for API keys that are unused or used infrequently."
documentation = file("./cis_v100/docs/cis_v100_1_2.md")
query = query.manual_control
tags = merge(local.cis_v100_1_common_tags, {
cis_item_id = "1.2"
cis_level = "1"
cis_type = "manual"
service = "IBM/IAM"
})
}
control "cis_v100_1_3" {
title = "1.3 Ensure API keys are rotated every 90 days"
description = "Replace production API keys with new API keys regularly, every 90 days for example, as a best practice to secure your account."
documentation = file("./cis_v100/docs/cis_v100_1_3.md")
query = query.iam_user_api_key_age_90
tags = merge(local.cis_v100_1_common_tags, {
cis_item_id = "1.3"
cis_level = "1"
cis_type = "manual"
service = "IBM/IAM"
})
}
control "cis_v100_1_4" {
title = "1.4 Restrict user API key creation and service ID creation in the account via IAM roles"
description = "Use IAM settings to restrict user API key creation and service ID (and related API key) creation in the account. Enable both settings to restrict all users in the account from creating user API keys and service IDs except those with an IAM policy that explicitly allows it."
documentation = file("./cis_v100/docs/cis_v100_1_4.md")
query = query.iam_restrict_api_key_service_id_creation
tags = merge(local.cis_v100_1_common_tags, {
cis_item_id = "1.4"
cis_level = "1"
cis_type = "manual"
service = "IBM/IAM"
})
}
control "cis_v100_1_5" {
title = "1.5 Ensure no owner account API key exists"
description = "API keys by definition allow access to your account and resources in your account. The API key inherits all assigned access for the user identity for which it is created, therefore an API key created by an account owner has account-owner level access to resources in the account."
documentation = file("./cis_v100/docs/cis_v100_1_5.md")
query = query.iam_account_owner_no_api_key
tags = merge(local.cis_v100_1_common_tags, {
cis_item_id = "1.5"
cis_level = "1"
cis_type = "manual"
service = "IBM/IAM"
})
}
control "cis_v100_1_6" {
title = "1.6 Ensure compliance with IBM Cloud password requirements"
description = "A strong password is a very important step towards account security and safety. Passwords should never be shared with anyone, and must follow the strong password requirements."
documentation = file("./cis_v100/docs/cis_v100_1_6.md")
query = query.manual_control
tags = merge(local.cis_v100_1_common_tags, {
cis_item_id = "1.6"
cis_level = "1"
cis_type = "manual"
service = "IBM/IAM"
})
}
control "cis_v100_1_7" {
title = "1.7 Ensure multi-factor authentication (MFA) is enabled for all users in account"
description = "Requires users to provide multiple factors of login credentials to authenticate their identity and gain access to IBM Cloud resources."
documentation = file("./cis_v100/docs/cis_v100_1_7.md")
query = query.iam_user_mfa_enabled_all
tags = merge(local.cis_v100_1_common_tags, {
cis_item_id = "1.7"
cis_level = "1"
cis_type = "manual"
service = "IBM/IAM"
})
}
control "cis_v100_1_8" {
title = "1.8 Ensure multi-factor authentication (MFA) is enabled for the account owner"
description = "Requires account owners to provide multiple factors of login credentials to authenticate their identity and gain access to IBM Cloud resources."
documentation = file("./cis_v100/docs/cis_v100_1_8.md")
query = query.iam_user_mfa_enabled_all
tags = merge(local.cis_v100_1_common_tags, {
cis_item_id = "1.8"
cis_level = "1"
cis_type = "manual"
service = "IBM/IAM"
})
}
control "cis_v100_1_9" {
title = "1.9 Ensure multi-factor authentication (MFA) is enabled at the account level"
description = "Requires users to provide multiple factors of login credentials to authenticate their identity and gain access to IBM Cloud resources."
documentation = file("./cis_v100/docs/cis_v100_1_9.md")
query = query.iam_user_mfa_enabled_all
tags = merge(local.cis_v100_1_common_tags, {
cis_item_id = "1.9"
cis_level = "1"
cis_type = "manual"
service = "IBM/IAM"
})
}
control "cis_v100_1_10" {
title = "1.10 Ensure contact email is valid"
description = "In order to receive emails and account alerts related to an IBM Cloud account, a valid email address should always be on record with IBM Cloud. If you lose access to an email address, you should update your email address on record to ensure continuity of correspondence."
documentation = file("./cis_v100/docs/cis_v100_1_10.md")
query = query.iam_user_with_valid_email
tags = merge(local.cis_v100_1_common_tags, {
cis_item_id = "1.10"
cis_level = "1"
cis_type = "manual"
service = "IBM/IAM"
})
}
control "cis_v100_1_11" {
title = "1.11 Ensure contact phone number is valid"
description = "A valid phone number should be on record with IBM Cloud in the event that IBM needs to contact you regarding your IBM Cloud account."
documentation = file("./cis_v100/docs/cis_v100_1_11.md")
query = query.iam_user_with_valid_phone
tags = merge(local.cis_v100_1_common_tags, {
cis_item_id = "1.11"
cis_level = "1"
cis_type = "manual"
service = "IBM/IAM"
})
}
control "cis_v100_1_12" {
title = "1.12 Ensure IAM users are members of access groups and IAM policies are assigned only to access groups"
description = "Simplify and secure the access management process by using access groups when you assign access to groups of users with identical access needs."
documentation = file("./cis_v100/docs/cis_v100_1_12.md")
query = query.iam_user_with_valid_phone
tags = merge(local.cis_v100_1_common_tags, {
cis_item_id = "1.12"
cis_level = "1"
cis_type = "manual"
service = "IBM/IAM"
})
}
control "cis_v100_1_13" {
title = "1.13 Ensure a support access group has been created to manage incidents with IBM Support"
description = "Support cases are used to raise issues to IBM Cloud. Access to IBM Cloud Support Center is managed via IAM roles."
documentation = file("./cis_v100/docs/cis_v100_1_13.md")
query = query.iam_support_center_access_group_configured
tags = merge(local.cis_v100_1_common_tags, {
cis_item_id = "1.13"
cis_level = "1"
cis_type = "manual"
service = "IBM/IAM"
})
}
control "cis_v100_1_14" {
title = "1.14 Minimize the number of users with admin privileges in the account"
description = "Comply with the principle of granting least privilege by using Access Groups to manage admin privileges and by avoiding the use of broadly scoped access policies."
documentation = file("./cis_v100/docs/cis_v100_1_14.md")
query = query.manual_control
tags = merge(local.cis_v100_1_common_tags, {
cis_item_id = "1.14"
cis_level = "1"
cis_type = "manual"
service = "IBM/IAM"
})
}
control "cis_v100_1_15" {
title = "1.15 Minimize the number of Service IDs with admin privileges in the account"
description = "Comply with the principle of granting least privilege by using Access Groups to manage admin privileges and by avoiding the use of many Service IDs with Administrative Privileges."
documentation = file("./cis_v100/docs/cis_v100_1_15.md")
query = query.manual_control
tags = merge(local.cis_v100_1_common_tags, {
cis_item_id = "1.15"
cis_level = "1"
cis_type = "manual"
service = "IBM/IAM"
})
}
control "cis_v100_1_16" {
title = "1.16 Ensure IAM does not allow public access to Cloud Object Storage"
description = "IBM Cloud features the capability for users with specific access roles to create access policies that allow all users(authenticated and non-authenticated) to access resources in the account. This “all users” access in turn ends up in public (including non-authenticated) access to resources. Determine if this capability is required by your organization and disable if not required."
documentation = file("./cis_v100/docs/cis_v100_1_16.md")
query = query.iam_access_group_with_public_access
tags = merge(local.cis_v100_1_common_tags, {
cis_item_id = "1.16"
cis_level = "1"
cis_type = "manual"
service = "IBM/IAM"
})
}
control "cis_v100_1_17" {
title = "1.17 Ensure Inactive User Accounts are Suspend"
description = "Revoke access privileges for users in an IBM Cloud account that are inactive, typically defined as user accounts with no logins in a given time frame."
documentation = file("./cis_v100/docs/cis_v100_1_17.md")
query = query.manual_control
tags = merge(local.cis_v100_1_common_tags, {
cis_item_id = "1.17"
cis_level = "1"
cis_type = "manual"
service = "IBM/IAM"
})
}
control "cis_v100_1_18" {
title = "1.18 Enable audit logging for IBM Cloud Identity and Access Management"
description = "Use the IBM Cloud Activity Tracker with LogDNA service to monitor certain IAM events."
documentation = file("./cis_v100/docs/cis_v100_1_18.md")
query = query.manual_control
tags = merge(local.cis_v100_1_common_tags, {
cis_item_id = "1.18"
cis_level = "1"
cis_type = "manual"
service = "IBM/IAM"
})
}
control "cis_v100_1_19" {
title = "1.19 Ensure Identity Federation is set up with a Corporate IDP"
description = "Allow users to log in to IBM Cloud by using their corporate Identity Provider (IdP) to authenticate."
documentation = file("./cis_v100/docs/cis_v100_1_19.md")
query = query.manual_control
tags = merge(local.cis_v100_1_common_tags, {
cis_item_id = "1.19"
cis_level = "1"
cis_type = "manual"
service = "IBM/IAM"
})
}