forked from epam/ecc-aws-rulepack
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
skip: Merge pull request epam#9 from epam/update
Update
- Loading branch information
Showing
1,301 changed files
with
27,229 additions
and
314 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| ## Non-Compatible Rules | ||
| The <strong>non-compatible-policies</strong> folder in this repository contains rules that are currently not compatible with the open-source version of Cloud Custodian. However, these rules will become compatible once custom filters and resources are merged into the open-source project. The <strong>non-compatible-policies</strong> folder serves as a temporary holding space until the necessary changes are made and merged to upstream. | ||
|
|
||
| You can track the progress of the merging process through the following [link](https://github.com/cloud-custodian/cloud-custodian/issues/8358) |
18 changes: 18 additions & 0 deletions
18
non-compatible-policies/ecc-aws-081-rds_not_open_to_large_scope.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| # Copyright (c) 2023 EPAM Systems, Inc. | ||
| # | ||
| # This Source Code Form is subject to the terms of the Mozilla Public | ||
| # License, v. 2.0. If a copy of the MPL was not distributed with this | ||
| # file, You can obtain one at http://mozilla.org/MPL/2.0/. | ||
|
|
||
| policies: | ||
| - name: ecc-aws-081-rds_not_open_to_large_scope | ||
| description: | | ||
| RDS is open to a large scope | ||
| resource: aws.rds | ||
| filters: | ||
| - type: rds-vpc-filter | ||
| key: SecurityGroups[].IpPermissions[].IpRanges[].CidrIp | ||
| op: in | ||
| value: | ||
| - "0.0.0.0/0" | ||
| - "::/0" |
22 changes: 22 additions & 0 deletions
22
non-compatible-policies/ecc-aws-088-http_elb_certificate_expire_in_one_week.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| # Copyright (c) 2023 EPAM Systems, Inc. | ||
| # | ||
| # This Source Code Form is subject to the terms of the Mozilla Public | ||
| # License, v. 2.0. If a copy of the MPL was not distributed with this | ||
| # file, You can obtain one at http://mozilla.org/MPL/2.0/. | ||
|
|
||
| policies: | ||
| - name: ecc-aws-088-http_elb_certificate_expire_in_one_week | ||
| description: | | ||
| Application or Network Load balancer SSL certificate expire in less than a week | ||
| resource: app-elb | ||
| filters: | ||
| - not: | ||
| - type: value | ||
| key: Type | ||
| value: "gateway" | ||
| op: in | ||
| - type: appelb-acm-filter | ||
| key: 'NotAfter' | ||
| op: lt | ||
| value: 7 | ||
|
|
22 changes: 22 additions & 0 deletions
22
non-compatible-policies/ecc-aws-089-http_elb_certificate_expire_in_one_month.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| # Copyright (c) 2023 EPAM Systems, Inc. | ||
| # | ||
| # This Source Code Form is subject to the terms of the Mozilla Public | ||
| # License, v. 2.0. If a copy of the MPL was not distributed with this | ||
| # file, You can obtain one at http://mozilla.org/MPL/2.0/. | ||
|
|
||
| policies: | ||
| - name: ecc-aws-089-http_elb_certificate_expire_in_one_month | ||
| description: | | ||
| Application or Network Load balancer SSL certificate expire in less than a month | ||
| resource: app-elb | ||
| filters: | ||
| - not: | ||
| - type: value | ||
| key: Type | ||
| value: "gateway" | ||
| op: in | ||
| - type: appelb-acm-filter | ||
| key: 'NotAfter' | ||
| op: lt | ||
| value: 30 | ||
|
|
17 changes: 17 additions & 0 deletions
17
non-compatible-policies/ecc-aws-100-ebs-volume_without_recent_snapshot.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| # Copyright (c) 2023 EPAM Systems, Inc. | ||
| # | ||
| # This Source Code Form is subject to the terms of the Mozilla Public | ||
| # License, v. 2.0. If a copy of the MPL was not distributed with this | ||
| # file, You can obtain one at http://mozilla.org/MPL/2.0/. | ||
|
|
||
| policies: | ||
| - name: ecc-aws-100-ebs-volume_without_recent_snapshot | ||
| description: | | ||
| EBS Volumes without recent snapshots | ||
| resource: aws.ebs | ||
| filters: | ||
| - not: | ||
| - type: snapshot-age | ||
| op: le | ||
| days: 14 | ||
|
|
19 changes: 19 additions & 0 deletions
19
non-compatible-policies/ecc-aws-175-cloudtrail_enabled_in_all_regions.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| # Copyright (c) 2023 EPAM Systems, Inc. | ||
| # | ||
| # This Source Code Form is subject to the terms of the Mozilla Public | ||
| # License, v. 2.0. If a copy of the MPL was not distributed with this | ||
| # file, You can obtain one at http://mozilla.org/MPL/2.0/. | ||
|
|
||
| policies: | ||
| - name: ecc-aws-175-cloudtrail_enabled_in_all_regions | ||
| resource: aws.account | ||
| description: | | ||
| CloudTrail is not enabled in all regions | ||
| filters: | ||
| - type: cloudtrails | ||
| valueList: trailList[?IsMultiRegionTrail == `true`] | ||
| statusList: statusList[?IsLogging == `true`] | ||
| selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] | ||
| op: eq | ||
| value: 0 | ||
|
|
15 changes: 15 additions & 0 deletions
15
non-compatible-policies/ecc-aws-178-iam_policies_full_administrative_privileges.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| # Copyright (c) 2023 EPAM Systems, Inc. | ||
| # | ||
| # This Source Code Form is subject to the terms of the Mozilla Public | ||
| # License, v. 2.0. If a copy of the MPL was not distributed with this | ||
| # file, You can obtain one at http://mozilla.org/MPL/2.0/. | ||
|
|
||
| policies: | ||
| - name: ecc-aws-178-iam_policies_full_administrative_privileges | ||
| description: | | ||
| IAM policies that allow full "*:*" administrative privileges are in use | ||
| resource: iam-policy-all | ||
| filters: | ||
| - type: used | ||
| - type: has-allow-all | ||
|
|
23 changes: 23 additions & 0 deletions
23
non-compatible-policies/ecc-aws-180-iam_user_with_password_and_unused_access_keys.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| # Copyright (c) 2023 EPAM Systems, Inc. | ||
| # | ||
| # This Source Code Form is subject to the terms of the Mozilla Public | ||
| # License, v. 2.0. If a copy of the MPL was not distributed with this | ||
| # file, You can obtain one at http://mozilla.org/MPL/2.0/. | ||
|
|
||
| policies: | ||
| - name: ecc-aws-180-iam_user_with_password_and_unused_access_keys | ||
| resource: aws.iam-user | ||
| description: | | ||
| Access key was created during initial IAM user setup | ||
| filters: | ||
| - type: creation-time-aws-iam-user | ||
| field_name_1: access_key_1_last_rotated | ||
| field_name_2: CreateDate | ||
| seconds: 4 | ||
| - type: credential | ||
| key: password_enabled | ||
| value: true | ||
| - type: credential | ||
| key: access_keys.last_used_date | ||
| value: null | ||
|
|
15 changes: 15 additions & 0 deletions
15
non-compatible-policies/ecc-aws-182-ensure_support_role_created_to_manage_incidents.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| # Copyright (c) 2023 EPAM Systems, Inc. | ||
| # | ||
| # This Source Code Form is subject to the terms of the Mozilla Public | ||
| # License, v. 2.0. If a copy of the MPL was not distributed with this | ||
| # file, You can obtain one at http://mozilla.org/MPL/2.0/. | ||
|
|
||
| policies: | ||
| - name: ecc-aws-182-ensure_support_role_created_to_manage_incidents | ||
| resource: aws.account | ||
| description: | | ||
| Support role has not been created to manage incidents with AWS Support | ||
| filters: | ||
| - type: account-iam-role-light-filter | ||
| value: AWSSupportAccess | ||
|
|
20 changes: 20 additions & 0 deletions
20
non-compatible-policies/ecc-aws-192-unauthorized_api_calls_alarm_exists.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| # Copyright (c) 2023 EPAM Systems, Inc. | ||
| # | ||
| # This Source Code Form is subject to the terms of the Mozilla Public | ||
| # License, v. 2.0. If a copy of the MPL was not distributed with this | ||
| # file, You can obtain one at http://mozilla.org/MPL/2.0/. | ||
|
|
||
| policies: | ||
| - name: ecc-aws-192-unauthorized_api_calls_alarm_exists | ||
| resource: aws.account | ||
| description: | | ||
| Log metric filter and alarm do not exist for unauthorized API calls | ||
| filters: | ||
| - type: cloudtrails | ||
| valueList: trailList[?IsMultiRegionTrail == `true`] | ||
| statusList: statusList[?IsLogging == `true`] | ||
| selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] | ||
| configurationChangesAlarmList: "\\(\\(\\$\\.errorCode=\"\\*UnauthorizedOperation\"\\) ?\\|\\| ?\\(\\$\\.errorCode=\"AccessDenied\\*\"\\)\\) ?&& ?\\(\\(\\$\\.sourceIPAddress!=(\")?delivery\\.logs\\.amazonaws\\.com(\")?\\) ?&& ?\\(\\$\\.eventName!=(\")?HeadBucket(\")?\\)\\)" | ||
| op: eq | ||
| value: 0 | ||
|
|
30 changes: 30 additions & 0 deletions
30
non-compatible-policies/ecc-aws-193-s3_bucket_cloudtrail_logs_not_publicly_accessible.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| # Copyright (c) 2023 EPAM Systems, Inc. | ||
| # | ||
| # This Source Code Form is subject to the terms of the Mozilla Public | ||
| # License, v. 2.0. If a copy of the MPL was not distributed with this | ||
| # file, You can obtain one at http://mozilla.org/MPL/2.0/. | ||
|
|
||
| policies: | ||
| - name: ecc-aws-193-s3_bucket_cloudtrail_logs_not_publicly_accessible | ||
| description: | | ||
| S3 bucket used to store CloudTrail logs is publicly accessible | ||
| resource: aws.cloudtrail | ||
| filters: | ||
| - or: | ||
| - type: cloudtrail-s3-filter | ||
| key: PublicAccessBlockConfiguration.BlockPublicAcls | ||
| op: eq | ||
| value: false | ||
| - type: cloudtrail-s3-filter | ||
| key: PublicAccessBlockConfiguration.BlockPublicPolicy | ||
| op: eq | ||
| value: false | ||
| - type: cloudtrail-s3-filter | ||
| key: PublicAccessBlockConfiguration.IgnorePublicAcls | ||
| op: eq | ||
| value: false | ||
| - type: cloudtrail-s3-filter | ||
| key: PublicAccessBlockConfiguration.RestrictPublicBuckets | ||
| op: eq | ||
| value: false | ||
|
|
17 changes: 17 additions & 0 deletions
17
...tible-policies/ecc-aws-194-s3_bucket_should_not_allow_all_actions_from_all_principals.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| # Copyright (c) 2023 EPAM Systems, Inc. | ||
| # | ||
| # This Source Code Form is subject to the terms of the Mozilla Public | ||
| # License, v. 2.0. If a copy of the MPL was not distributed with this | ||
| # file, You can obtain one at http://mozilla.org/MPL/2.0/. | ||
|
|
||
| policies: | ||
| - name: ecc-aws-194-s3_bucket_should_not_allow_all_actions_from_all_principals | ||
| description: | | ||
| S3 bucket allows all actions from all principals | ||
| resource: aws.s3-light | ||
| filters: | ||
| - type: has-statement | ||
| statements: | ||
| - Effect: Allow | ||
| Action: '*' | ||
| Principal: '*' |
20 changes: 20 additions & 0 deletions
20
non-compatible-policies/ecc-aws-204-sign_in_without_mfa_alarm_exist.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| # Copyright (c) 2023 EPAM Systems, Inc. | ||
| # | ||
| # This Source Code Form is subject to the terms of the Mozilla Public | ||
| # License, v. 2.0. If a copy of the MPL was not distributed with this | ||
| # file, You can obtain one at http://mozilla.org/MPL/2.0/. | ||
|
|
||
| policies: | ||
| - name: ecc-aws-204-sign_in_without_mfa_alarm_exist | ||
| resource: aws.account | ||
| description: | | ||
| Log metric filter and alarm do not exist for Management Console sign-in without MFA | ||
| filters: | ||
| - type: cloudtrails | ||
| valueList: trailList[?IsMultiRegionTrail == `true`] | ||
| statusList: statusList[?IsLogging == `true`] | ||
| selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] | ||
| configurationChangesAlarmList: "\\(\\$\\.eventName ?= ?\"ConsoleLogin\"\\) ?&& ?\\(\\$\\.additionalEventData.MFAUsed ?!= ?\"Yes\"\\) ?&& ?\\(\\$\\.userIdentity\\.type ?= ?\"IAMUser\"\\) ?&& ?\\(\\$.responseElements\\.ConsoleLogin ?= ?\"Success\"\\)" | ||
| op: eq | ||
| value: 0 | ||
|
|
20 changes: 20 additions & 0 deletions
20
non-compatible-policies/ecc-aws-205-root_usage_alarm_exists.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| # Copyright (c) 2023 EPAM Systems, Inc. | ||
| # | ||
| # This Source Code Form is subject to the terms of the Mozilla Public | ||
| # License, v. 2.0. If a copy of the MPL was not distributed with this | ||
| # file, You can obtain one at http://mozilla.org/MPL/2.0/. | ||
|
|
||
| policies: | ||
| - name: ecc-aws-205-root_usage_alarm_exists | ||
| resource: aws.account | ||
| description: | | ||
| Log metric filter and alarm do not exist for usage of "root" account | ||
| filters: | ||
| - type: cloudtrails | ||
| valueList: trailList[?IsMultiRegionTrail == `true`] | ||
| statusList: statusList[?IsLogging == `true`] | ||
| selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] | ||
| configurationChangesAlarmList: "(\\()? ?\\$\\.userIdentity\\.type ?= ?\"Root\" ?(\\))? ?\\&\\& ?(\\(?) ?\\$\\.userIdentity\\.invokedBy NOT EXISTS ?(\\))? ?&& ?(\\()? ?\\$\\.eventType ?!= ?\"AwsServiceEvent\" ?(\\))?" | ||
| op: eq | ||
| value: 0 | ||
|
|
20 changes: 20 additions & 0 deletions
20
non-compatible-policies/ecc-aws-206-iam_policy_changes_alarm_exist.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| # Copyright (c) 2023 EPAM Systems, Inc. | ||
| # | ||
| # This Source Code Form is subject to the terms of the Mozilla Public | ||
| # License, v. 2.0. If a copy of the MPL was not distributed with this | ||
| # file, You can obtain one at http://mozilla.org/MPL/2.0/. | ||
|
|
||
| policies: | ||
| - name: ecc-aws-206-iam_policy_changes_alarm_exist | ||
| resource: aws.account | ||
| description: | | ||
| Log metric filter and alarm do not exist for IAM policy changes | ||
| filters: | ||
| - type: cloudtrails | ||
| valueList: trailList[?IsMultiRegionTrail == `true`] | ||
| statusList: statusList[?IsLogging == `true`] | ||
| selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] | ||
| configurationChangesAlarmList: "(\\()? ?\\$\\.eventName=DeleteGroupPolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=DeleteRolePolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=DeleteUserPolicy(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=PutGroupPolicy(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=PutRolePolicy(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=PutUserPolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=CreatePolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=DeletePolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=CreatePolicyVersion ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=DeletePolicyVersion(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=AttachRolePolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=DetachRolePolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=AttachUserPolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=DetachUserPolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=AttachGroupPolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=DetachGroupPolicy ?(\\))?" | ||
| op: eq | ||
| value: 0 | ||
|
|
20 changes: 20 additions & 0 deletions
20
non-compatible-policies/ecc-aws-207-cloudtrail_configuration_changes_alarm_exists.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| # Copyright (c) 2023 EPAM Systems, Inc. | ||
| # | ||
| # This Source Code Form is subject to the terms of the Mozilla Public | ||
| # License, v. 2.0. If a copy of the MPL was not distributed with this | ||
| # file, You can obtain one at http://mozilla.org/MPL/2.0/. | ||
|
|
||
| policies: | ||
| - name: ecc-aws-207-cloudtrail_configuration_changes_alarm_exists | ||
| resource: aws.account | ||
| description: | | ||
| Log metric filter and alarm do not exist for CloudTrail configuration changes | ||
| filters: | ||
| - type: cloudtrails | ||
| valueList: trailList[?IsMultiRegionTrail == `true`] | ||
| statusList: statusList[?IsLogging == `true`] | ||
| selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] | ||
| configurationChangesAlarmList: "(\\()? ?\\$\\.eventName ?= ?(\")?CreateTrail(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?UpdateTrail(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DeleteTrail(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?StartLogging(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?StopLogging(\")? ?(\\))?" | ||
| op: eq | ||
| value: 0 | ||
|
|
20 changes: 20 additions & 0 deletions
20
non-compatible-policies/ecc-aws-208-console_auth_failure_alarm_exists.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| # Copyright (c) 2023 EPAM Systems, Inc. | ||
| # | ||
| # This Source Code Form is subject to the terms of the Mozilla Public | ||
| # License, v. 2.0. If a copy of the MPL was not distributed with this | ||
| # file, You can obtain one at http://mozilla.org/MPL/2.0/. | ||
|
|
||
| policies: | ||
| - name: ecc-aws-208-console_auth_failure_alarm_exists | ||
| resource: aws.account | ||
| description: | | ||
| Log metric filter and alarm do not exist for AWS Management Console authentication failures | ||
| filters: | ||
| - type: cloudtrails | ||
| valueList: trailList[?IsMultiRegionTrail == `true`] | ||
| statusList: statusList[?IsLogging == `true`] | ||
| selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] | ||
| configurationChangesAlarmList: "(\\()? ?\\$\\.eventName ?= ?(\")?ConsoleLogin(\")? ?(\\))? ?&& ?(\\()? ?\\$\\.errorMessage ?= ?(\")?Failed authentication(\")? ?(\\))?" | ||
| op: eq | ||
| value: 0 | ||
|
|
20 changes: 20 additions & 0 deletions
20
non-compatible-policies/ecc-aws-209-cmk_key_disabling_or_deletion_alarm_exists.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| # Copyright (c) 2023 EPAM Systems, Inc. | ||
| # | ||
| # This Source Code Form is subject to the terms of the Mozilla Public | ||
| # License, v. 2.0. If a copy of the MPL was not distributed with this | ||
| # file, You can obtain one at http://mozilla.org/MPL/2.0/. | ||
|
|
||
| policies: | ||
| - name: ecc-aws-209-cmk_key_disabling_or_deletion_alarm_exists | ||
| resource: aws.account | ||
| description: | | ||
| Log metric filter and alarm do not exist for disabling or scheduled deletion of customer created CMKs | ||
| filters: | ||
| - type: cloudtrails | ||
| valueList: trailList[?IsMultiRegionTrail == `true`] | ||
| statusList: statusList[?IsLogging == `true`] | ||
| selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] | ||
| configurationChangesAlarmList: "(\\()? ?\\$\\.eventSource ?= ?(\")?kms\\.amazonaws\\.com(\")? ?(\\))? ?&& ?\\((\\()? ?\\$\\.eventName ?= ?(\")?DisableKey(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?ScheduleKeyDeletion(\")? ?(\\))?\\)" | ||
| op: eq | ||
| value: 0 | ||
|
|
15 changes: 15 additions & 0 deletions
15
non-compatible-policies/ecc-aws-211-cloudtrail_bucket_logging_enabled.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| # Copyright (c) 2023 EPAM Systems, Inc. | ||
| # | ||
| # This Source Code Form is subject to the terms of the Mozilla Public | ||
| # License, v. 2.0. If a copy of the MPL was not distributed with this | ||
| # file, You can obtain one at http://mozilla.org/MPL/2.0/. | ||
|
|
||
| policies: | ||
| - name: ecc-aws-211-cloudtrail_bucket_logging_enabled | ||
| resource: aws.cloudtrail | ||
| description: | | ||
| S3 bucket access logging is disabled on the CloudTrail S3 bucket | ||
| filters: | ||
| - type: cloudtrail-s3-logging | ||
| enabled: false | ||
|
|
Oops, something went wrong.