Skip to content

Commit

Permalink
Merge pull request #150 from nikpivkin/go2rego-aws-1
Browse files Browse the repository at this point in the history
refactor(checks): migrate AWS accessanalyzer, athena, cloudfront to Rego
  • Loading branch information
simar7 authored Jun 25, 2024
2 parents 6f4dbd8 + 90f350e commit 68c9eff
Show file tree
Hide file tree
Showing 52 changed files with 709 additions and 708 deletions.
6 changes: 3 additions & 3 deletions .github/actions/setup-opa/action.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,11 @@ description: Setup OPA CLI
runs:
using: composite
steps:
- name: Setup OPA v0.58.0
- name: Setup OPA
shell: bash
run: |
curl --retry 3 -L -o opa_linux_amd64_static https://github.com/open-policy-agent/opa/releases/download/v0.58.0/opa_linux_amd64_static
curl -L -o checksum https://github.com/open-policy-agent/opa/releases/download/v0.58.0/opa_linux_amd64_static.sha256
curl --retry 3 -L -o opa_linux_amd64_static https://github.com/open-policy-agent/opa/releases/download/v0.65.0/opa_linux_amd64_static
curl -L -o checksum https://github.com/open-policy-agent/opa/releases/download/v0.65.0/opa_linux_amd64_static.sha256
sha256sum -c checksum
chmod 755 ./opa_linux_amd64_static
sudo mv ./opa_linux_amd64_static /usr/local/bin/opa
3 changes: 1 addition & 2 deletions avd_docs/aws/accessanalyzer/AVD-AWS-0175/docs.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@


AWS IAM Access Analyzer helps you identify the resources in your organization and
accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity.
This lets you identify unintended access to your resources and data. Access Analyzer
Expand All @@ -10,7 +9,7 @@ keys, AWS Lambda functions, and Amazon SQS(Simple Queue Service) queues.


### Impact
Reduced visibility of externally shared resources.
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
5 changes: 3 additions & 2 deletions avd_docs/aws/athena/AVD-AWS-0006/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

Athena databases and workspace result sets should be encrypted at rests. These databases and query sets are generally derived from data in S3 buckets and should have the same level of at rest protection.
Data can be read if the Athena Database is compromised. Athena databases and workspace result sets should be encrypted at rests. These databases and query sets are generally derived from data in S3 buckets and should have the same level of at rest protection.


### Impact
Data can be read if the Athena Database is compromised
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
5 changes: 3 additions & 2 deletions avd_docs/aws/athena/AVD-AWS-0007/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

Athena workgroup configuration should be enforced to prevent client side changes to disable encryption settings.
Clients can ignore encryption requirements without enforced configuration. Athena workgroup configuration should be enforced to prevent client side changes to disable encryption settings.


### Impact
Clients can ignore encryption requirements
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
5 changes: 3 additions & 2 deletions avd_docs/aws/cloudtrail/AVD-AWS-0014/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

When creating Cloudtrail in the AWS Management Console the trail is configured by default to be multi-region, this isn't the case with the Terraform resource. Cloudtrail should cover the full AWS account to ensure you can track changes in regions you are not actively operting in.
Activity could be happening in your account in a different region. When creating Cloudtrail in the AWS Management Console the trail is configured by default to be multi-region, this isn't the case with the Terraform resource. Cloudtrail should cover the full AWS account to ensure you can track changes in regions you are not actively operting in.


### Impact
Activity could be happening in your account in a different region
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
5 changes: 3 additions & 2 deletions avd_docs/aws/cloudtrail/AVD-AWS-0015/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

Using Customer managed keys provides comprehensive control over cryptographic keys, enabling management of policies, permissions, and rotation, thus enhancing security and compliance measures for sensitive data and systems.
Using AWS managed keys does not allow for fine grained control. Using Customer managed keys provides comprehensive control over cryptographic keys, enabling management of policies, permissions, and rotation, thus enhancing security and compliance measures for sensitive data and systems.


### Impact
Using AWS managed keys does not allow for fine grained control
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
5 changes: 3 additions & 2 deletions avd_docs/aws/cloudtrail/AVD-AWS-0016/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

Log validation should be activated on Cloudtrail logs to prevent the tampering of the underlying data in the S3 bucket. It is feasible that a rogue actor compromising an AWS account might want to modify the log data to remove trace of their actions.
Illicit activity could be removed from the logs. Log validation should be activated on Cloudtrail logs to prevent the tampering of the underlying data in the S3 bucket. It is feasible that a rogue actor compromising an AWS account might want to modify the log data to remove trace of their actions.


### Impact
Illicit activity could be removed from the logs
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
5 changes: 2 additions & 3 deletions avd_docs/aws/cloudtrail/AVD-AWS-0161/docs.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,9 @@


CloudTrail logs a record of every API call made in your account. These log files are stored in an S3 bucket. CIS recommends that the S3 bucket policy, or access control list (ACL), applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs. Allowing public access to CloudTrail log content might aid an adversary in identifying weaknesses in the affected account's use or configuration.
CloudTrail logs will be publicly exposed, potentially containing sensitive information. CloudTrail logs a record of every API call made in your account. These log files are stored in an S3 bucket. CIS recommends that the S3 bucket policy, or access control list (ACL), applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs. Allowing public access to CloudTrail log content might aid an adversary in identifying weaknesses in the affected account's use or configuration.


### Impact
CloudTrail logs will be publicly exposed, potentially containing sensitive information
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
3 changes: 2 additions & 1 deletion avd_docs/aws/cloudtrail/AVD-AWS-0162/docs.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@

Realtime log analysis is not available without enabling CloudWatch logging.

CloudTrail is a web service that records AWS API calls made in a given account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.

Expand All @@ -8,7 +9,7 @@ For a trail that is enabled in all Regions in an account, CloudTrail sends log f


### Impact
Realtime log analysis is not available without enabling CloudWatch logging
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
4 changes: 1 addition & 3 deletions avd_docs/aws/cloudtrail/AVD-AWS-0163/docs.md
Original file line number Diff line number Diff line change
@@ -1,13 +1,11 @@

Amazon S3 bucket access logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed.

CIS recommends that you enable bucket access logging on the CloudTrail S3 bucket.

By enabling S3 bucket logging on target S3 buckets, you can capture all events that might affect objects in a target bucket. Configuring logs to be placed in a separate bucket enables access to log information, which can be useful in security and incident response workflows.


### Impact
There is no way to determine the access to this bucket
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
3 changes: 2 additions & 1 deletion checks/cloud/aws/accessanalyzer/enable_access_analyzer.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,8 @@ keys, AWS Lambda functions, and Amazon SQS(Simple Queue Service) queues.
Links: []string{
"https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html",
},
Severity: severity.Low,
Severity: severity.Low,
Deprecated: true,
},
func(s *state.State) (results scan.Results) {
var enabled bool
Expand Down
45 changes: 45 additions & 0 deletions checks/cloud/aws/accessanalyzer/enable_access_analyzer.rego
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
# METADATA
# title: Enable IAM Access analyzer for IAM policies about all resources in each region.
# description: |
# AWS IAM Access Analyzer helps you identify the resources in your organization and
# accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity.
# This lets you identify unintended access to your resources and data. Access Analyzer
# identifies resources that are shared with external principals by using logic-based reasoning
# to analyze the resource-based policies in your AWS environment. IAM Access Analyzer
# continuously monitors all policies for S3 bucket, IAM roles, KMS(Key Management Service)
# keys, AWS Lambda functions, and Amazon SQS(Simple Queue Service) queues.
# scope: package
# schemas:
# - input: schema["cloud"]
# related_resources:
# - https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html
# custom:
# id: AVD-AWS-0175
# avd_id: AVD-AWS-0175
# provider: aws
# service: accessanalyzer
# severity: LOW
# short_code: enable-access-analyzer
# recommended_action: Enable IAM Access analyzer across all regions.
# frameworks:
# cis-aws-1.4:
# - "1.20"
# input:
# selector:
# - type: cloud
# subtypes:
# - service: accessanalyzer
# provider: aws
package builtin.aws.accessanalyzer.aws0175

import rego.v1

deny contains res if {
not has_active_analyzer
res := result.new("Access Analyzer is not enabled.", {})
}

has_active_analyzer if {
some analyzer in input.aws.accessanalyzer.analyzers
analyzer.active.value
}
75 changes: 0 additions & 75 deletions checks/cloud/aws/accessanalyzer/enable_access_analyzer_test.go

This file was deleted.

26 changes: 26 additions & 0 deletions checks/cloud/aws/accessanalyzer/enable_access_analyzer_test.rego
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
package builtin.aws.accessanalyzer.aws0175_test

import rego.v1

import data.builtin.aws.accessanalyzer.aws0175 as check
import data.lib.test

test_disallow_no_analyzers if {
r := check.deny with input as {"aws": {"accessanalyzer": {"analyzers": []}}}
test.assert_equal_message("Access Analyzer is not enabled.", r)
}

test_disallow_analyzer_disabled if {
r := check.deny with input as {"aws": {"accessanalyzer": {"analyzers": [{"active": {"value": false}}]}}}
test.assert_equal_message("Access Analyzer is not enabled.", r)
}

test_allow_one_of_analyzer_disabled if {
r := check.deny with input as {"aws": {"accessanalyzer": {"analyzers": [{"active": {"value": false}}, {"active": {"value": true}}]}}}
test.assert_empty(r)
}

test_allow_analyzer_enabled if {
r := check.deny with input as {"aws": {"accessanalyzer": {"analyzers": [{"active": {"value": true}}]}}}
test.assert_empty(r)
}
3 changes: 2 additions & 1 deletion checks/cloud/aws/athena/enable_at_rest_encryption.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,8 @@ var CheckEnableAtRestEncryption = rules.Register(
Links: cloudFormationEnableAtRestEncryptionLinks,
RemediationMarkdown: cloudFormationEnableAtRestEncryptionRemediationMarkdown,
},
Severity: severity.High,
Severity: severity.High,
Deprecated: true,
},
func(s *state.State) (results scan.Results) {
for _, workgroup := range s.AWS.Athena.Workgroups {
Expand Down
53 changes: 53 additions & 0 deletions checks/cloud/aws/athena/enable_at_rest_encryption.rego
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
# METADATA
# title: Athena databases and workgroup configurations are created unencrypted at rest by default, they should be encrypted
# description: |
# Data can be read if the Athena Database is compromised. Athena databases and workspace result sets should be encrypted at rests. These databases and query sets are generally derived from data in S3 buckets and should have the same level of at rest protection.
# scope: package
# schemas:
# - input: schema["cloud"]
# related_resources:
# - https://docs.aws.amazon.com/athena/latest/ug/encryption.html
# custom:
# id: AVD-AWS-0006
# avd_id: AVD-AWS-0006
# provider: aws
# service: athena
# severity: HIGH
# short_code: enable-at-rest-encryption
# recommended_action: Enable encryption at rest for Athena databases and workgroup configurations
# input:
# selector:
# - type: cloud
# subtypes:
# - service: athena
# provider: aws
# terraform:
# links:
# - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/athena_workgroup#encryption_configuration
# - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/athena_database#encryption_configuration
# good_examples: checks/cloud/aws/athena/enable_at_rest_encryption.tf.go
# bad_examples: checks/cloud/aws/athena/enable_at_rest_encryption.tf.go
# cloudformation:
# good_examples: checks/cloud/aws/athena/enable_at_rest_encryption.cf.go
# bad_examples: checks/cloud/aws/athena/enable_at_rest_encryption.cf.go
package builtin.aws.athena.aws0006

import rego.v1

encryption_type_none := ""

deny contains res if {
some workgroup in input.aws.athena.workgroups
is_encryption_type_none(workgroup.encryption)
res := result.new("Workgroup does not have encryption configured.", workgroup)
}

deny contains res if {
some database in input.aws.athena.databases
is_encryption_type_none(database.encryption)
res := result.new("Database does not have encryption configured.", database)
}

is_encryption_type_none(encryption) if {
encryption.type.value == encryption_type_none
}
Loading

0 comments on commit 68c9eff

Please sign in to comment.