Skip to content

Commit

Permalink
Merge branch 'main' into go2rego-aws-7-1
Browse files Browse the repository at this point in the history
  • Loading branch information
simar7 authored Aug 28, 2024
2 parents b039ef7 + b5c7746 commit a15b709
Show file tree
Hide file tree
Showing 1,059 changed files with 24,445 additions and 17,098 deletions.
3 changes: 2 additions & 1 deletion avd_docs/aws/apigateway/AVD-AWS-0001/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


### Impact
Logging provides vital information about access and usage
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
3 changes: 2 additions & 1 deletion avd_docs/aws/apigateway/AVD-AWS-0002/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

Method cache encryption ensures that any sensitive data in the cache is not vulnerable to compromise in the event of interception


### Impact
Data stored in the cache that is unencrypted may be vulnerable to compromise
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
3 changes: 2 additions & 1 deletion avd_docs/aws/apigateway/AVD-AWS-0003/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

X-Ray tracing enables end-to-end debugging and analysis of all API Gateway HTTP requests.


### Impact
Without full tracing enabled it is difficult to trace the flow of logs
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
3 changes: 2 additions & 1 deletion avd_docs/aws/apigateway/AVD-AWS-0004/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

API Gateway methods should generally be protected by authorization or api key. OPTION verb calls can be used without authorization


### Impact
API gateway methods can be accessed without authorization.
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
3 changes: 2 additions & 1 deletion avd_docs/aws/apigateway/AVD-AWS-0005/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.


### Impact
Outdated SSL policies increase exposure to known vulnerabilities
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
3 changes: 2 additions & 1 deletion avd_docs/aws/apigateway/AVD-AWS-0190/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

A REST API in API Gateway is a collection of resources and methods that are integrated with backend HTTP endpoints, Lambda functions, or other AWS services. You can enable API caching in Amazon API Gateway to cache your endpoint responses. With caching, you can reduce the number of calls made to your endpoint and also improve the latency of requests to your API.


### Impact
Reduce the number of calls made to your API endpoint and also improve the latency of requests to your API with response caching.
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
3 changes: 2 additions & 1 deletion avd_docs/aws/cloudfront/AVD-AWS-0010/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


### Impact
Logging provides vital information about access and usage
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
3 changes: 2 additions & 1 deletion avd_docs/aws/cloudfront/AVD-AWS-0011/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

You should configure a Web Application Firewall in front of your CloudFront distribution. This will mitigate many types of attacks on your web application.


### Impact
Complex web application attacks can more easily be performed without a WAF
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
4 changes: 2 additions & 2 deletions avd_docs/aws/cloudfront/AVD-AWS-0012/docs.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@

Plain HTTP is unencrypted and human-readable. This means that if a malicious actor was to eavesdrop on your connection, they would be able to see all of your data flowing back and forth.

You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning eavesdroppers cannot read your traffic.


### Impact
CloudFront is available through an unencrypted connection
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
8 changes: 4 additions & 4 deletions avd_docs/aws/cloudfront/AVD-AWS-0013/docs.md
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@

You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.

Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name).
If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s.
Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name).
If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s.
The only option when using the cloudfront.net domain name is to ignore this rule.


### Impact
Outdated SSL policies increase exposure to known vulnerabilities
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
3 changes: 2 additions & 1 deletion avd_docs/aws/cloudwatch/AVD-AWS-0017/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

CloudWatch log groups are encrypted by default, however, to get the full benefit of controlling key rotation and other KMS aspects a KMS CMK should be used.


### Impact
Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
4 changes: 2 additions & 2 deletions avd_docs/aws/cloudwatch/AVD-AWS-0147/docs.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@

You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. You can have more than one VPC in an account, and you can create a peer connection between two VPCs, enabling network traffic to route between VPCs.

CIS recommends that you create a metric filter and alarm for changes to VPCs. Monitoring these changes helps ensure that authentication and authorization controls remain intact.


### Impact
Unauthorized API Calls may be attempted without being notified. CloudTrail logs these actions but without the alarm you aren't actively notified.
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
8 changes: 4 additions & 4 deletions avd_docs/aws/cloudwatch/AVD-AWS-0148/docs.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@

You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
CIS recommends that you create a metric filter and alarm console logins that aren't protected by MFA. Monitoring for single-factor console logins increases visibility into accounts that aren't protected by MFA.
You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
CIS recommends that you create a metric filter and alarm console logins that aren't protected by MFA. Monitoring for single-factor console logins increases visibility into accounts that aren't protected by MFA.


### Impact
Not alerting on logins with no MFA allows the risk to go un-notified.
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
6 changes: 3 additions & 3 deletions avd_docs/aws/cloudwatch/AVD-AWS-0149/docs.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@

You can do real-time monitoring of API calls directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.

You can do real-time monitoring of API calls directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
CIS recommends that you create a metric filter and alarm for root user login attempts. Monitoring for root user logins provides visibility into the use of a fully privileged account and an opportunity to reduce the use of it.


### Impact
The root user has significant permissions and should not be used for day to day tasks.
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
6 changes: 3 additions & 3 deletions avd_docs/aws/cloudwatch/AVD-AWS-0150/docs.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@

You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.

You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
CIS recommends that you create a metric filter and alarm for changes made to IAM policies. Monitoring these changes helps ensure that authentication and authorization controls remain intact.


### Impact
IAM Policy changes could lead to excessive permissions and may have been performed maliciously.
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
6 changes: 3 additions & 3 deletions avd_docs/aws/cloudwatch/AVD-AWS-0151/docs.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@

You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.

You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
CIS recommends that you create a metric filter and alarm for changes to CloudTrail configuration settings. Monitoring these changes helps ensure sustained visibility to activities in the account.


### Impact
CloudTrail tracks all changes through the API, attempts to change the configuration may indicate malicious activity. Without alerting on changes, visibility of this activity is reduced.
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
6 changes: 3 additions & 3 deletions avd_docs/aws/cloudwatch/AVD-AWS-0152/docs.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@

You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.

You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
CIS recommends that you create a metric filter and alarm for failed console authentication attempts. Monitoring failed console logins might decrease lead time to detect an attempt to brute-force a credential, which might provide an indicator, such as source IP, that you can use in other event correlations.


### Impact
Failed attempts to log into the Management console may indicate an attempt to maliciously access an account. Failure to alert reduces visibility of this activity.
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
8 changes: 4 additions & 4 deletions avd_docs/aws/cloudwatch/AVD-AWS-0153/docs.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@

You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
CIS recommends that you create a metric filter and alarm for customer managed keys that have changed state to disabled or scheduled deletion. Data encrypted with disabled or deleted keys is no longer accessible.
You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
CIS recommends that you create a metric filter and alarm for customer managed keys that have changed state to disabled or scheduled deletion. Data encrypted with disabled or deleted keys is no longer accessible.


### Impact
CloudTrail tracks all changes through the API, attempts to change the configuration may indicate malicious activity. Without alerting on changes, visibility of this activity is reduced.
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
6 changes: 3 additions & 3 deletions avd_docs/aws/cloudwatch/AVD-AWS-0154/docs.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@

You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.

You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
CIS recommends that you create a metric filter and alarm for changes to S3 bucket policies. Monitoring these changes might reduce time to detect and correct permissive policies on sensitive S3 buckets.


### Impact
Misconfigured policies on S3 buckets could lead to data leakage, without alerting visibility of this is reduced.
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
6 changes: 3 additions & 3 deletions avd_docs/aws/cloudwatch/AVD-AWS-0155/docs.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@

You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.

You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
CIS recommends that you create a metric filter and alarm for changes to AWS Config configuration settings. Monitoring these changes helps ensure sustained visibility of configuration items in the account.


### Impact
Changes to the configuration of AWS Config may indicate malicious activity. Without alerting on changes, visibility of this activity is reduced.
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
8 changes: 4 additions & 4 deletions avd_docs/aws/cloudwatch/AVD-AWS-0156/docs.md
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@

You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
Security groups are a stateful packet filter that controls ingress and egress traffic in a VPC.

You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
Security groups are a stateful packet filter that controls ingress and egress traffic in a VPC.
CIS recommends that you create a metric filter and alarm for changes to security groups. Monitoring these changes helps ensure that resources and services aren't unintentionally exposed.


### Impact
Security groups control the ingress and egress, changes could be made to maliciously allow egress of data or external ingress. Without alerting, this could go unnoticed.
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
8 changes: 4 additions & 4 deletions avd_docs/aws/cloudwatch/AVD-AWS-0157/docs.md
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@

You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets in a VPC.

You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets in a VPC.
CIS recommends that you create a metric filter and alarm for changes to NACLs. Monitoring these changes helps ensure that AWS resources and services aren't unintentionally exposed.


### Impact
Network ACLs control the ingress and egress, changes could be made to maliciously allow egress of data or external ingress. Without alerting, this could go unnoticed.
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
8 changes: 4 additions & 4 deletions avd_docs/aws/cloudwatch/AVD-AWS-0158/docs.md
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@

You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
Network gateways are required to send and receive traffic to a destination outside a VPC.

You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
Network gateways are required to send and receive traffic to a destination outside a VPC.
CIS recommends that you create a metric filter and alarm for changes to network gateways. Monitoring these changes helps ensure that all ingress and egress traffic traverses the VPC border via a controlled path.


### Impact
Network gateways control the ingress and egress, changes could be made to maliciously allow egress of data or external ingress. Without alerting, this could go unnoticed.
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
8 changes: 4 additions & 4 deletions avd_docs/aws/cloudwatch/AVD-AWS-0159/docs.md
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@

You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
Routing tables route network traffic between subnets and to network gateways.

You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
Routing tables route network traffic between subnets and to network gateways.
CIS recommends that you create a metric filter and alarm for changes to route tables. Monitoring these changes helps ensure that all VPC traffic flows through an expected path.


### Impact
Route tables control the flow of network traffic, changes could be made to maliciously allow egress of data or external ingress. Without alerting, this could go unnoticed.
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
8 changes: 4 additions & 4 deletions avd_docs/aws/cloudwatch/AVD-AWS-0160/docs.md
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@

You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
You can have more than one VPC in an account, and you can create a peer connection between two VPCs, enabling network traffic to route between VPCs.
CIS recommends that you create a metric filter and alarm for changes to VPCs. Monitoring these changes helps ensure that authentication and authorization controls remain intact.
CIS recommends that you create a metric filter and alarm for changes to VPCs. Monitoring these changes helps ensure that authentication and authorization controls remain intact.


### Impact
Route tables control the flow of network traffic, changes could be made to maliciously allow egress of data or external ingress. Without alerting, this could go unnoticed.
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
3 changes: 1 addition & 2 deletions avd_docs/aws/cloudwatch/AVD-AWS-0174/docs.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@


Monitoring AWS Organizations changes can help you prevent any unwanted, accidental or
intentional modifications that may lead to unauthorized access or other security breaches.
This monitoring technique helps you to ensure that any unexpected changes performed
Expand All @@ -8,7 +7,7 @@ rolled back.


### Impact
Lack of observability into critical organisation changes
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
3 changes: 2 additions & 1 deletion avd_docs/aws/ecr/AVD-AWS-0030/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

Repository image scans should be enabled to ensure vulnerable software can be discovered and remediated as soon as possible.


### Impact
The ability to scan images is not being used and vulnerabilities will not be highlighted
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
4 changes: 2 additions & 2 deletions avd_docs/aws/ecr/AVD-AWS-0031/docs.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@

ECR images should be set to IMMUTABLE to prevent code injection through image mutation.
This can be done by setting <code>image_tag_mutability</code> to <code>IMMUTABLE</code>

This can be done by setting <code>image_tab_mutability</code> to <code>IMMUTABLE</code>

### Impact
Image tags could be overwritten with compromised images
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
3 changes: 2 additions & 1 deletion avd_docs/aws/ecr/AVD-AWS-0032/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

Allowing public access to the ECR repository risks leaking sensitive of abusable information


### Impact
Risk of potential data leakage of sensitive artifacts
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
3 changes: 2 additions & 1 deletion avd_docs/aws/ecr/AVD-AWS-0033/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

Images in the ECR repository are encrypted by default using AWS managed encryption keys. To increase control of the encryption and control the management of factors like key rotation, use a Customer Managed Key.


### Impact
Using AWS managed keys does not allow for fine grained control
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
Loading

0 comments on commit a15b709

Please sign in to comment.