-
Notifications
You must be signed in to change notification settings - Fork 30
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
refactor(checks): migrate from Go to Rego
- Loading branch information
Showing
328 changed files
with
7,704 additions
and
7,323 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,5 @@ | ||
| .idea | ||
| bundle.tar.gz | ||
| opa | ||
| .vscode/ | ||
| .DS_Store |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| package accessanalyzer |
This file was deleted.
Oops, something went wrong.
45 changes: 45 additions & 0 deletions
45
checks/cloud/aws/accessanalyzer/enable_access_analyzer.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| # METADATA | ||
| # title: Enable IAM Access analyzer for IAM policies about all resources in each region. | ||
| # description: | | ||
| # AWS IAM Access Analyzer helps you identify the resources in your organization and | ||
| # accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. | ||
| # This lets you identify unintended access to your resources and data. Access Analyzer | ||
| # identifies resources that are shared with external principals by using logic-based reasoning | ||
| # to analyze the resource-based policies in your AWS environment. IAM Access Analyzer | ||
| # continuously monitors all policies for S3 bucket, IAM roles, KMS(Key Management Service) | ||
| # keys, AWS Lambda functions, and Amazon SQS(Simple Queue Service) queues. | ||
| # scope: package | ||
| # schemas: | ||
| # - input: schema["cloud"] | ||
| # related_resources: | ||
| # - https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html | ||
| # custom: | ||
| # id: AVD-AWS-0175 | ||
| # avd_id: AVD-AWS-0175 | ||
| # provider: aws | ||
| # service: accessanalyzer | ||
| # severity: LOW | ||
| # short_code: enable-access-analyzer | ||
| # recommended_action: Enable IAM Access analyzer across all regions. | ||
| # frameworks: | ||
| # cis-aws-1.4: | ||
| # - "1.20" | ||
| # input: | ||
| # selector: | ||
| # - type: cloud | ||
| # subtypes: | ||
| # - service: accessanalyzer | ||
| # provider: aws | ||
| package builtin.aws.accessanalyzer.aws0175 | ||
|
|
||
| import rego.v1 | ||
|
|
||
| deny contains res if { | ||
| not has_active_analyzer | ||
| res := result.new("Access Analyzer is not enabled.", {}) | ||
| } | ||
|
|
||
| has_active_analyzer if { | ||
| some analyzer in input.aws.accessanalyzer.analyzers | ||
| analyzer.active.value | ||
| } |
75 changes: 0 additions & 75 deletions
75
checks/cloud/aws/accessanalyzer/enable_access_analyzer_test.go
This file was deleted.
Oops, something went wrong.
26 changes: 26 additions & 0 deletions
26
checks/cloud/aws/accessanalyzer/enable_access_analyzer_test.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| package builtin.aws.accessanalyzer.aws0175_test | ||
|
|
||
| import rego.v1 | ||
|
|
||
| import data.builtin.aws.accessanalyzer.aws0175 as check | ||
| import data.lib.test | ||
|
|
||
| test_disallow_no_analyzers if { | ||
| r := check.deny with input as {"aws": {"accessanalyzer": {"analyzers": []}}} | ||
| test.assert_equal_message("Access Analyzer is not enabled.", r) | ||
| } | ||
|
|
||
| test_disallow_analyzer_disabled if { | ||
| r := check.deny with input as {"aws": {"accessanalyzer": {"analyzers": [{"active": {"value": false}}]}}} | ||
| test.assert_equal_message("Access Analyzer is not enabled.", r) | ||
| } | ||
|
|
||
| test_allow_one_of_analyzer_disabled if { | ||
| r := check.deny with input as {"aws": {"accessanalyzer": {"analyzers": [{"active": {"value": false}}, {"active": {"value": true}}]}}} | ||
| test.assert_empty(r) | ||
| } | ||
|
|
||
| test_allow_analyzer_enabled if { | ||
| r := check.deny with input as {"aws": {"accessanalyzer": {"analyzers": [{"active": {"value": true}}]}}} | ||
| test.assert_empty(r) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| package apigateway |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| # METADATA | ||
| # title: API Gateway stages for V1 and V2 should have access logging enabled | ||
| # description: | | ||
| # API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages. | ||
| # scope: package | ||
| # schemas: | ||
| # - input: schema["cloud"] | ||
| # related_resources: | ||
| # - https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html | ||
| # custom: | ||
| # id: AVD-AWS-0001 | ||
| # avd_id: AVD-AWS-0001 | ||
| # provider: aws | ||
| # service: apigateway | ||
| # severity: MEDIUM | ||
| # short_code: enable-access-logging | ||
| # recommended_action: Enable logging for API Gateway stages | ||
| # input: | ||
| # selector: | ||
| # - type: cloud | ||
| # subtypes: | ||
| # - service: apigateway | ||
| # provider: aws | ||
| # terraform: | ||
| # links: | ||
| # - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/apigatewayv2_stage#access_log_settings | ||
| # good_examples: checks/cloud/aws/apigateway/enable_access_logging.tf.go | ||
| # bad_examples: checks/cloud/aws/apigateway/enable_access_logging.tf.go | ||
| # cloudformation: | ||
| # good_examples: checks/cloud/aws/apigateway/enable_access_logging.cf.go | ||
| # bad_examples: checks/cloud/aws/apigateway/enable_access_logging.cf.go | ||
| package builtin.aws.apigateway.aws0001 | ||
|
|
||
| import rego.v1 | ||
|
|
||
| deny contains res if { | ||
| some stage in apis[_].stages | ||
| stage.__defsec_metadata.managed | ||
|
|
||
| arn := stage.accesslogging.cloudwatchloggrouparn | ||
| arn.value == "" # TODO: check if unresolvable? | ||
|
|
||
| res := result.new("Access logging is not configured.", arn) | ||
| } | ||
|
|
||
| # TODO: use map? | ||
| apis contains input.aws.apigateway.v1.apis[_] | ||
|
|
||
| apis contains input.aws.apigateway.v2.apis[_] |
Oops, something went wrong.