-
Notifications
You must be signed in to change notification settings - Fork 30
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
refactor(checks): migrate AWS accessanalyzer, athena, cloudfront to Rego
Signed-off-by: Nikita Pivkin <[email protected]>
- Loading branch information
Showing
38 changed files
with
673 additions
and
682 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
45 changes: 45 additions & 0 deletions
45
checks/cloud/aws/accessanalyzer/enable_access_analyzer.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| # METADATA | ||
| # title: Enable IAM Access analyzer for IAM policies about all resources in each region. | ||
| # description: | | ||
| # AWS IAM Access Analyzer helps you identify the resources in your organization and | ||
| # accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. | ||
| # This lets you identify unintended access to your resources and data. Access Analyzer | ||
| # identifies resources that are shared with external principals by using logic-based reasoning | ||
| # to analyze the resource-based policies in your AWS environment. IAM Access Analyzer | ||
| # continuously monitors all policies for S3 bucket, IAM roles, KMS(Key Management Service) | ||
| # keys, AWS Lambda functions, and Amazon SQS(Simple Queue Service) queues. | ||
| # scope: package | ||
| # schemas: | ||
| # - input: schema["cloud"] | ||
| # related_resources: | ||
| # - https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html | ||
| # custom: | ||
| # id: AVD-AWS-0175 | ||
| # avd_id: AVD-AWS-0175 | ||
| # provider: aws | ||
| # service: accessanalyzer | ||
| # severity: LOW | ||
| # short_code: enable-access-analyzer | ||
| # recommended_action: Enable IAM Access analyzer across all regions. | ||
| # frameworks: | ||
| # cis-aws-1.4: | ||
| # - "1.20" | ||
| # input: | ||
| # selector: | ||
| # - type: cloud | ||
| # subtypes: | ||
| # - service: accessanalyzer | ||
| # provider: aws | ||
| package builtin.aws.accessanalyzer.aws0175 | ||
|
|
||
| import rego.v1 | ||
|
|
||
| deny contains res if { | ||
| not has_active_analyzer | ||
| res := result.new("Access Analyzer is not enabled.", {}) | ||
| } | ||
|
|
||
| has_active_analyzer if { | ||
| some analyzer in input.aws.accessanalyzer.analyzers | ||
| analyzer.active.value | ||
| } |
75 changes: 0 additions & 75 deletions
75
checks/cloud/aws/accessanalyzer/enable_access_analyzer_test.go
This file was deleted.
Oops, something went wrong.
26 changes: 26 additions & 0 deletions
26
checks/cloud/aws/accessanalyzer/enable_access_analyzer_test.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| package builtin.aws.accessanalyzer.aws0175_test | ||
|
|
||
| import rego.v1 | ||
|
|
||
| import data.builtin.aws.accessanalyzer.aws0175 as check | ||
| import data.lib.test | ||
|
|
||
| test_disallow_no_analyzers if { | ||
| r := check.deny with input as {"aws": {"accessanalyzer": {"analyzers": []}}} | ||
| test.assert_equal_message("Access Analyzer is not enabled.", r) | ||
| } | ||
|
|
||
| test_disallow_analyzer_disabled if { | ||
| r := check.deny with input as {"aws": {"accessanalyzer": {"analyzers": [{"active": {"value": false}}]}}} | ||
| test.assert_equal_message("Access Analyzer is not enabled.", r) | ||
| } | ||
|
|
||
| test_allow_one_of_analyzer_disabled if { | ||
| r := check.deny with input as {"aws": {"accessanalyzer": {"analyzers": [{"active": {"value": false}}, {"active": {"value": true}}]}}} | ||
| test.assert_empty(r) | ||
| } | ||
|
|
||
| test_allow_analyzer_enabled if { | ||
| r := check.deny with input as {"aws": {"accessanalyzer": {"analyzers": [{"active": {"value": true}}]}}} | ||
| test.assert_empty(r) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| # METADATA | ||
| # title: Athena databases and workgroup configurations are created unencrypted at rest by default, they should be encrypted | ||
| # description: | | ||
| # Athena databases and workspace result sets should be encrypted at rests. These databases and query sets are generally derived from data in S3 buckets and should have the same level of at rest protection. | ||
| # scope: package | ||
| # schemas: | ||
| # - input: schema["cloud"] | ||
| # related_resources: | ||
| # - https://docs.aws.amazon.com/athena/latest/ug/encryption.html | ||
| # custom: | ||
| # id: AVD-AWS-0006 | ||
| # avd_id: AVD-AWS-0006 | ||
| # provider: aws | ||
| # service: athena | ||
| # severity: HIGH | ||
| # short_code: enable-at-rest-encryption | ||
| # recommended_action: Enable encryption at rest for Athena databases and workgroup configurations | ||
| # input: | ||
| # selector: | ||
| # - type: cloud | ||
| # subtypes: | ||
| # - service: athena | ||
| # provider: aws | ||
| # terraform: | ||
| # links: | ||
| # - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/athena_workgroup#encryption_configuration | ||
| # - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/athena_database#encryption_configuration | ||
| # good_examples: checks/cloud/aws/athena/enable_at_rest_encryption.tf.go | ||
| # bad_examples: checks/cloud/aws/athena/enable_at_rest_encryption.tf.go | ||
| # cloudformation: | ||
| # good_examples: checks/cloud/aws/athena/enable_at_rest_encryption.cf.go | ||
| # bad_examples: checks/cloud/aws/athena/enable_at_rest_encryption.cf.go | ||
| package builtin.aws.athena.aws0006 | ||
|
|
||
| import rego.v1 | ||
|
|
||
| encryption_type_none := "" | ||
|
|
||
| deny contains res if { | ||
| some workgroup in input.aws.athena.workgroups | ||
| is_encryption_type_none(workgroup.encryption) | ||
| res := result.new("Workgroup does not have encryption configured.", workgroup) | ||
| } | ||
|
|
||
| deny contains res if { | ||
| some database in input.aws.athena.databases | ||
| is_encryption_type_none(database.encryption) | ||
| res := result.new("Database does not have encryption configured.", database) | ||
| } | ||
|
|
||
| is_encryption_type_none(encryption) if { | ||
| encryption.type.value == encryption_type_none | ||
| } |
This file was deleted.
Oops, something went wrong.
26 changes: 26 additions & 0 deletions
26
checks/cloud/aws/athena/enable_at_rest_encryption_test.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| package builtin.aws.athena.aws0006_test | ||
|
|
||
| import rego.v1 | ||
|
|
||
| import data.builtin.aws.athena.aws0006 as check | ||
| import data.lib.test | ||
|
|
||
| test_disallow_database_unencrypted if { | ||
| inp := {"aws": {"athena": {"databases": [{"encryption": {"type": {"value": ""}}}]}}} | ||
| test.assert_equal_message("Database does not have encryption configured.", check.deny) with input as inp | ||
| } | ||
|
|
||
| test_disallow_workgroup_unencrypted if { | ||
| inp := {"aws": {"athena": {"workgroups": [{"encryption": {"type": {"value": ""}}}]}}} | ||
| test.assert_equal_message("Workgroup does not have encryption configured.", check.deny) with input as inp | ||
| } | ||
|
|
||
| test_allow_database_encrypted if { | ||
| inp := {"aws": {"athena": {"databases": [{"encryption": {"type": {"value": "SSE_S3"}}}]}}} | ||
| test.assert_empty(check.deny) with input as inp | ||
| } | ||
|
|
||
| test_allow_workgroup_encrypted if { | ||
| inp := {"aws": {"athena": {"workgroups": [{"encryption": {"type": {"value": "SSE_S3"}}}]}}} | ||
| test.assert_empty(check.deny) with input as inp | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| # METADATA | ||
| # title: Athena workgroups should enforce configuration to prevent client disabling encryption | ||
| # description: | | ||
| # Athena workgroup configuration should be enforced to prevent client side changes to disable encryption settings. | ||
| # scope: package | ||
| # schemas: | ||
| # - input: schema["cloud"] | ||
| # related_resources: | ||
| # - https://docs.aws.amazon.com/athena/latest/ug/manage-queries-control-costs-with-workgroups.html | ||
| # custom: | ||
| # id: AVD-AWS-0007 | ||
| # avd_id: AVD-AWS-0007 | ||
| # provider: aws | ||
| # service: athena | ||
| # severity: HIGH | ||
| # short_code: no-encryption-override | ||
| # recommended_action: Enforce the configuration to prevent client overrides | ||
| # input: | ||
| # selector: | ||
| # - type: cloud | ||
| # subtypes: | ||
| # - service: athena | ||
| # provider: aws | ||
| # terraform: | ||
| # links: | ||
| # - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/athena_workgroup#configuration | ||
| # good_examples: checks/cloud/aws/athena/no_encryption_override.tf.go | ||
| # bad_examples: checks/cloud/aws/athena/no_encryption_override.tf.go | ||
| # cloudformation: | ||
| # good_examples: checks/cloud/aws/athena/no_encryption_override.cf.go | ||
| # bad_examples: checks/cloud/aws/athena/no_encryption_override.cf.go | ||
| package builtin.aws.athena.aws0007 | ||
|
|
||
| import rego.v1 | ||
|
|
||
| deny contains res if { | ||
| some workgroup in input.aws.athena.workgroups | ||
| not workgroup.enforceconfiguration.value | ||
| res := result.new("The workgroup configuration is not enforced.", workgroup.enforceconfiguration) | ||
| } |
Oops, something went wrong.