-
Notifications
You must be signed in to change notification settings - Fork 30
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
refactor(checks): migrate AWS ec2 to Rego
Signed-off-by: Nikita Pivkin <[email protected]>
- Loading branch information
Showing
99 changed files
with
2,286 additions
and
1,456 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
51 changes: 51 additions & 0 deletions
51
checks/cloud/aws/ec2/add_description_to_security_group.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
# METADATA | ||
# title: Missing description for security group. | ||
# description: | | ||
# Security groups should include a description for auditing purposes. | ||
# | ||
# Simplifies auditing, debugging, and managing security groups. | ||
# scope: package | ||
# schemas: | ||
# - input: schema["cloud"] | ||
# related_resources: | ||
# - https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html | ||
# custom: | ||
# id: AVD-AWS-0099 | ||
# avd_id: AVD-AWS-0099 | ||
# provider: aws | ||
# service: ec2 | ||
# severity: LOW | ||
# short_code: add-description-to-security-group | ||
# recommended_action: Add descriptions for all security groups | ||
# input: | ||
# selector: | ||
# - type: cloud | ||
# subtypes: | ||
# - service: ec2 | ||
# provider: aws | ||
# terraform: | ||
# links: | ||
# - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group | ||
# - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule | ||
# good_examples: checks/cloud/aws/ec2/add_description_to_security_group.tf.go | ||
# bad_examples: checks/cloud/aws/ec2/add_description_to_security_group.tf.go | ||
# cloudformation: | ||
# good_examples: checks/cloud/aws/ec2/add_description_to_security_group.cf.go | ||
# bad_examples: checks/cloud/aws/ec2/add_description_to_security_group.cf.go | ||
package builtin.aws.ec2.aws0099 | ||
|
||
import rego.v1 | ||
|
||
deny contains res if { | ||
some sg in input.aws.ec2.securitygroups | ||
sg.__defsec_metadata.managed | ||
sg.description.value == "" | ||
res := result.new("Security group does not have a description.", sg) | ||
} | ||
|
||
deny contains res if { | ||
some sg in input.aws.ec2.securitygroups | ||
sg.__defsec_metadata.managed | ||
sg.description.value == "Managed by Terraform" | ||
res := result.new("Security group explicitly uses the default description.", sg) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
47 changes: 47 additions & 0 deletions
47
checks/cloud/aws/ec2/add_description_to_security_group_rule.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
# METADATA | ||
# title: Missing description for security group rule. | ||
# description: | | ||
# Security group rules should include a description for auditing purposes. | ||
# | ||
# Simplifies auditing, debugging, and managing security groups. | ||
# scope: package | ||
# schemas: | ||
# - input: schema["cloud"] | ||
# related_resources: | ||
# - https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html | ||
# custom: | ||
# id: AVD-AWS-0124 | ||
# avd_id: AVD-AWS-0124 | ||
# provider: aws | ||
# service: ec2 | ||
# severity: LOW | ||
# short_code: add-description-to-security-group-rule | ||
# recommended_action: Add descriptions for all security groups rules | ||
# input: | ||
# selector: | ||
# - type: cloud | ||
# subtypes: | ||
# - service: ec2 | ||
# provider: aws | ||
# terraform: | ||
# links: | ||
# - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group | ||
# - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule | ||
# good_examples: checks/cloud/aws/ec2/add_description_to_security_group_rule.tf.go | ||
# bad_examples: checks/cloud/aws/ec2/add_description_to_security_group_rule.tf.go | ||
# cloudformation: | ||
# good_examples: checks/cloud/aws/ec2/add_description_to_security_group_rule.cf.go | ||
# bad_examples: checks/cloud/aws/ec2/add_description_to_security_group_rule.cf.go | ||
package builtin.aws.ec2.aws0124 | ||
|
||
import rego.v1 | ||
|
||
deny contains res if { | ||
some group in input.aws.ec2.securitygroups | ||
some rule in array.concat( | ||
object.get(group, "egressrules", []), | ||
object.get(group, "ingressrules", []), | ||
) | ||
rule.description.value == "" | ||
res := result.new("Security group rule does not have a description.", rule.description) | ||
} |
Oops, something went wrong.