Merge branch 'main' into feature/ecc-aws-067-unauthorized_api_calls_a…

…larm_exists
epam · Dec 12, 2023 · 6ff591f · 6ff591f
2 parents 96f4899 + caffecf
commit 6ff591f
Show file tree

Hide file tree

Showing 310 changed files with 5,562 additions and 589 deletions.
diff --git a/iam/All-permissions.json → iam/All-permissions_1.json b/iam/All-permissions.json → iam/All-permissions_1.json
@@ -222,11 +222,7 @@
                 "waf-regional:GetWebACL",
                 "waf:GetWebACL",
                 "waf:ListWebACLs",
-                "workspaces:DescribeWorkspaceDirectories",
-                "workspaces:DescribeWorkspaceImages",
-                "workspaces:DescribeWorkspaces",
-                "workspaces:DescribeWorkspacesConnectionStatus",
-                "xray:GetEncryptionConfig"
+                "workspaces:DescribeWorkspaceDirectories"
             ],
             "Resource": "*"
         }

diff --git a/iam/All-permissions_2.json b/iam/All-permissions_2.json
@@ -0,0 +1,21 @@
+{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Effect": "Allow",
+			"Action": [
+				"workspaces:DescribeWorkspaceImages",
+				"workspaces:DescribeWorkspaces",
+				"workspaces:DescribeWorkspacesConnectionStatus",
+				"xray:GetEncryptionConfig",
+				"events:ListRules",
+				"events:ListTargetsByRule",
+				"batch:DescribeComputeEnvironments",
+				"kafka:ListClustersV2",
+				"cloudformation:ListStacks",
+				"iam:ListVirtualMFADevices"
+			],
+			"Resource": "*"
+		}
+	]
+}
diff --git a/non-compatible-policies/ecc-aws-052-cloudtrail_enabled_in_all_regions.yml b/non-compatible-policies/ecc-aws-052-cloudtrail_enabled_in_all_regions.yml
@@ -6,7 +6,7 @@
 
 policies:
   - name: ecc-aws-052-cloudtrail_enabled_in_all_regions
-    comment: '010016010301'
+    comment: '010016012501'
     description: |
       CloudTrail is not enabled in all regions
     resource: aws.account

diff --git a/non-compatible-policies/ecc-aws-054-iam_policies_full_administrative_privileges.yml b/non-compatible-policies/ecc-aws-054-iam_policies_full_administrative_privileges.yml
@@ -6,7 +6,7 @@
 
 policies:
   - name: ecc-aws-054-iam_policies_full_administrative_privileges
-    comment: '010022000301'
+    comment: '010022002501'
     description: |
       IAM policies that allow full "*:*" administrative privileges are in use
     resource: iam-policy-all

diff --git a/non-compatible-policies/ecc-aws-056-iam_user_with_password_and_unused_access_keys.yml b/non-compatible-policies/ecc-aws-056-iam_user_with_password_and_unused_access_keys.yml
@@ -6,7 +6,7 @@
 
 policies:
   - name: ecc-aws-056-iam_user_with_password_and_unused_access_keys
-    comment: '010033000301'
+    comment: '010033002501'
     description: |
       Access key was created during initial IAM user setup
     resource: aws.iam-user

diff --git a/non-compatible-policies/ecc-aws-058-ensure_support_role_created_to_manage_incidents.yml b/non-compatible-policies/ecc-aws-058-ensure_support_role_created_to_manage_incidents.yml
@@ -6,7 +6,7 @@
 
 policies:
   - name: ecc-aws-058-ensure_support_role_created_to_manage_incidents
-    comment: '010022000301'
+    comment: '010022002501'
     description: |
       Support role has not been created to manage incidents with AWS Support
     resource: aws.account

diff --git a/non-compatible-policies/ecc-aws-068-s3_bucket_cloudtrail_logs_not_publicly_accessible.yml b/non-compatible-policies/ecc-aws-068-s3_bucket_cloudtrail_logs_not_publicly_accessible.yml
@@ -6,7 +6,7 @@
 
 policies:
   - name: ecc-aws-068-s3_bucket_cloudtrail_logs_not_publicly_accessible
-    comment: '010040010300'
+    comment: '010040012500'
     description: |
       S3 bucket used to store CloudTrail logs is publicly accessible
     resource: aws.cloudtrail

diff --git a/non-compatible-policies/ecc-aws-077-sign_in_without_mfa_alarm_exist.yml b/non-compatible-policies/ecc-aws-077-sign_in_without_mfa_alarm_exist.yml
@@ -6,7 +6,7 @@
 
 policies:
   - name: ecc-aws-077-sign_in_without_mfa_alarm_exist
-    comment: '010016010300'
+    comment: '010016012500'
     description: |
       Log metric filter and alarm do not exist for Management Console sign-in without MFA
     resource: aws.account

diff --git a/non-compatible-policies/ecc-aws-078-root_usage_alarm_exists.yml b/non-compatible-policies/ecc-aws-078-root_usage_alarm_exists.yml
@@ -6,7 +6,7 @@
 
 policies:
   - name: ecc-aws-078-root_usage_alarm_exists
-    comment: '010016010300'
+    comment: '010016012500'
     description: |
       Log metric filter and alarm do not exist for usage of "root" account
     resource: aws.account

diff --git a/non-compatible-policies/ecc-aws-079-iam_policy_changes_alarm_exist.yml b/non-compatible-policies/ecc-aws-079-iam_policy_changes_alarm_exist.yml
@@ -6,7 +6,7 @@
 
 policies:
   - name: ecc-aws-079-iam_policy_changes_alarm_exist
-    comment: '010016010300'
+    comment: '010016012500'
     description: |
       Log metric filter and alarm do not exist for IAM policy changes
     resource: aws.account

diff --git a/non-compatible-policies/ecc-aws-080-cloudtrail_configuration_changes_alarm_exists.yml b/non-compatible-policies/ecc-aws-080-cloudtrail_configuration_changes_alarm_exists.yml
@@ -6,7 +6,7 @@
 
 policies:
   - name: ecc-aws-080-cloudtrail_configuration_changes_alarm_exists
-    comment: '010016010300'
+    comment: '010016012500'
     description: |
       Log metric filter and alarm do not exist for CloudTrail configuration changes
     resource: aws.account

diff --git a/non-compatible-policies/ecc-aws-081-console_auth_failure_alarm_exists.yml b/non-compatible-policies/ecc-aws-081-console_auth_failure_alarm_exists.yml
@@ -6,7 +6,7 @@
 
 policies:
   - name: ecc-aws-081-console_auth_failure_alarm_exists
-    comment: '010016010300'
+    comment: '010016012500'
     description: |
       Log metric filter and alarm do not exist for AWS Management Console authentication failures
     resource: aws.account

diff --git a/non-compatible-policies/ecc-aws-082-cmk_key_disabling_or_deletion_alarm_exists.yml b/non-compatible-policies/ecc-aws-082-cmk_key_disabling_or_deletion_alarm_exists.yml
@@ -6,7 +6,7 @@
 
 policies:
   - name: ecc-aws-082-cmk_key_disabling_or_deletion_alarm_exists
-    comment: '010016010300'
+    comment: '010016012500'
     description: |
       Log metric filter and alarm do not exist for disabling or scheduled deletion of customer created CMKs
     resource: aws.account

diff --git a/non-compatible-policies/ecc-aws-084-cloudtrail_bucket_logging_enabled.yml b/non-compatible-policies/ecc-aws-084-cloudtrail_bucket_logging_enabled.yml
@@ -6,7 +6,7 @@
 
 policies:
   - name: ecc-aws-084-cloudtrail_bucket_logging_enabled
-    comment: '010019010300'
+    comment: '010019012500'
     description: |
       S3 bucket access logging is disabled on the CloudTrail S3 bucket
     resource: aws.cloudtrail

diff --git a/non-compatible-policies/ecc-aws-094-s3_bucket_policy_changes_alarm_exists.yml b/non-compatible-policies/ecc-aws-094-s3_bucket_policy_changes_alarm_exists.yml
@@ -6,7 +6,7 @@
 
 policies:
   - name: ecc-aws-094-s3_bucket_policy_changes_alarm_exists
-    comment: '010016010300'
+    comment: '010016012500'
     description: |
       Log metric filter and alarm do not exist for S3 bucket policy changes
     resource: aws.account

diff --git a/non-compatible-policies/ecc-aws-095-aws_config_configuration_changes_alarm_exists.yml b/non-compatible-policies/ecc-aws-095-aws_config_configuration_changes_alarm_exists.yml
@@ -6,7 +6,7 @@
 
 policies:
   - name: ecc-aws-095-aws_config_configuration_changes_alarm_exists
-    comment: '010016010300'
+    comment: '010016012500'
     description: |
       Log metric filter and alarm do not exist for AWS Config configuration changes
     resource: aws.account

diff --git a/non-compatible-policies/ecc-aws-096-security_group_changes_alarm_exists.yml b/non-compatible-policies/ecc-aws-096-security_group_changes_alarm_exists.yml
@@ -6,7 +6,7 @@
 
 policies:
   - name: ecc-aws-096-security_group_changes_alarm_exists
-    comment: '010016010300'
+    comment: '010016012500'
     description: |
       Log metric filter and alarm do not exist for security group changes
     resource: aws.account

diff --git a/non-compatible-policies/ecc-aws-097-network_access_control_lists_changes_alarm_exists.yml b/non-compatible-policies/ecc-aws-097-network_access_control_lists_changes_alarm_exists.yml
@@ -6,7 +6,7 @@
 
 policies:
   - name: ecc-aws-097-network_access_control_lists_changes_alarm_exists
-    comment: '010016010300'
+    comment: '010016012500'
     description: |
       Log metric filter and alarm do not exist for changes to Network Access Control Lists (NACL)
     resource: aws.account

diff --git a/non-compatible-policies/ecc-aws-098-network_gateways_changes_alarm_exists.yml b/non-compatible-policies/ecc-aws-098-network_gateways_changes_alarm_exists.yml
@@ -6,7 +6,7 @@
 
 policies:
   - name: ecc-aws-098-network_gateways_changes_alarm_exists
-    comment: '010016010300'
+    comment: '010016012500'
     description: |
       Log metric filter and alarm do not exist for changes to network gateways
     resource: aws.account

diff --git a/non-compatible-policies/ecc-aws-099-route_table_changes_alarm_exists.yml b/non-compatible-policies/ecc-aws-099-route_table_changes_alarm_exists.yml
@@ -6,7 +6,7 @@
 
 policies:
   - name: ecc-aws-099-route_table_changes_alarm_exists
-    comment: '010016010300'
+    comment: '010016012500'
     description: |
       Log metric filter and alarm do not exist for route table changes
     resource: aws.account

diff --git a/non-compatible-policies/ecc-aws-100-vpc_changes_alarm_exists.yml b/non-compatible-policies/ecc-aws-100-vpc_changes_alarm_exists.yml
@@ -6,7 +6,7 @@
 
 policies:
   - name: ecc-aws-100-vpc_changes_alarm_exists
-    comment: '010016010300'
+    comment: '010016012500'
     description: |
       Log metric filter and alarm do not exist for VPC changes
     resource: aws.account

diff --git a/non-compatible-policies/ecc-aws-143-bucket_object-level_logging_for_write_enabled.yml b/non-compatible-policies/ecc-aws-143-bucket_object-level_logging_for_write_enabled.yml
@@ -6,7 +6,7 @@
 
 policies:
   - name: ecc-aws-143-bucket_object-level_logging_for_write_enabled
-    comment: '010019010300'
+    comment: '010019012500'
     description: |
       Object-level logging for write events is disabled for S3 bucket
     resource: aws.account

diff --git a/non-compatible-policies/ecc-aws-144-bucket_object-level_logging_for_read_enabled.yml b/non-compatible-policies/ecc-aws-144-bucket_object-level_logging_for_read_enabled.yml
@@ -6,7 +6,7 @@
 
 policies:
   - name: ecc-aws-144-bucket_object-level_logging_for_read_enabled
-    comment: '010019010300'
+    comment: '010019012500'
     description: |
       Object-level logging for read events is disabled for S3 bucket
     resource: aws.account

diff --git a/non-compatible-policies/ecc-aws-145-organizations_changes_alarm_exists.yml b/non-compatible-policies/ecc-aws-145-organizations_changes_alarm_exists.yml
@@ -6,7 +6,7 @@
 
 policies:
   - name: ecc-aws-145-organizations_changes_alarm_exists
-    comment: '010016010300'
+    comment: '010016012500'
     description: |
       Log metric filter and alarm do not exist for AWS Organizations changes
     resource: aws.account

diff --git a/.../ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports.yml b/.../ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports.yml
@@ -6,7 +6,7 @@
 
 policies:
   - name: ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports
-    comment: '010024020300'
+    comment: '010024022500'
     description: |
       Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
     resource: aws.network-acl

diff --git a/policies/ecc-aws-001-ensure_mfa_is_enabled_for_all_iam_users_with_console_password.yml b/policies/ecc-aws-001-ensure_mfa_is_enabled_for_all_iam_users_with_console_password.yml
@@ -7,7 +7,7 @@
 
 policies:
   - name: ecc-aws-001-ensure_mfa_is_enabled_for_all_iam_users_with_console_password
-    comment: '010036000301'
+    comment: '010036002501'
     description: |
       Multi-factor authentication (MFA) is not enabled for all IAM users that have console password
     resource: aws.iam-user

diff --git a/policies/ecc-aws-002-ensure_access_keys_are_rotated_every_90_days.yml b/policies/ecc-aws-002-ensure_access_keys_are_rotated_every_90_days.yml
@@ -7,7 +7,7 @@
 
 policies:
   - name: ecc-aws-002-ensure_access_keys_are_rotated_every_90_days
-    comment: '010022000301'
+    comment: '010022002501'
     description: |
       Access keys are not rotated every 90 days or less
     resource: aws.iam-user

diff --git a/policies/ecc-aws-003-ensure_vpc_flow_logging_enabled_for_every_vpc.yml b/policies/ecc-aws-003-ensure_vpc_flow_logging_enabled_for_every_vpc.yml
@@ -7,7 +7,7 @@
 
 policies:
   - name: ecc-aws-003-ensure_vpc_flow_logging_enabled_for_every_vpc
-    comment: '010019010300'
+    comment: '010019012500'
     description: |
       VPC flow logging is not enabled in all VPCs
     resource: aws.vpc

diff --git a/policies/ecc-aws-004-bucket_policy_allows_https_requests.yml b/policies/ecc-aws-004-bucket_policy_allows_https_requests.yml
@@ -7,7 +7,7 @@
 
 policies:
   - name: ecc-aws-004-bucket_policy_allows_https_requests
-    comment: '010022040301'
+    comment: '010022042501'
     description: |
       S3 Bucket Policy allows HTTP requests
     resource: aws.s3

diff --git a/policies/ecc-aws-015-ensure_mfa_is_enabled_for_the_root_account.yml b/policies/ecc-aws-015-ensure_mfa_is_enabled_for_the_root_account.yml
@@ -7,7 +7,7 @@
 
 policies:
   - name: ecc-aws-015-ensure_mfa_is_enabled_for_the_root_account
-    comment: '010036000301'
+    comment: '010036002501'
     description: |
       Virtual MFA is not enabled for the "root" account
     resource: aws.account

diff --git a/policies/ecc-aws-016-ensure_hardware_mfa_is_enabled_for_root_account.yml b/policies/ecc-aws-016-ensure_hardware_mfa_is_enabled_for_root_account.yml
@@ -7,7 +7,7 @@
 
 policies:
   - name: ecc-aws-016-ensure_hardware_mfa_is_enabled_for_root_account
-    comment: '010036000301'
+    comment: '010036002501'
     description: |
       Hardware MFA is not enabled for the 'root' account
     resource: account

diff --git a/policies/ecc-aws-017-credentials_unused_for_45_days.yml b/policies/ecc-aws-017-credentials_unused_for_45_days.yml
@@ -7,7 +7,7 @@
 
 policies:
   - name: ecc-aws-017-credentials_unused_for_45_days
-    comment: '010022000301'
+    comment: '010022002501'
     description: |
       Credentials unused for 45 days or more are not disabled
     resource: aws.iam-user

diff --git a/policies/ecc-aws-018-iam_users_receive_permissions_only_through_groups.yml b/policies/ecc-aws-018-iam_users_receive_permissions_only_through_groups.yml
@@ -7,7 +7,7 @@
 
 policies:
   - name: ecc-aws-018-iam_users_receive_permissions_only_through_groups
-    comment: '010022000301'
+    comment: '010022002501'
     description: |
       IAM Users receive permissions not only through groups
     resource: aws.iam-user

diff --git a/policies/ecc-aws-019-iam_password_policy_password_reuse.yml b/policies/ecc-aws-019-iam_password_policy_password_reuse.yml
@@ -7,7 +7,7 @@
 
 policies:
   - name: ecc-aws-019-iam_password_policy_password_reuse
-    comment: '010022000301'
+    comment: '010022002501'
     description: |
       IAM password policy does not prevent password reuse
     resource: aws.account

diff --git a/policies/ecc-aws-046-ensure_no_root_account_access_key_exists.yml b/policies/ecc-aws-046-ensure_no_root_account_access_key_exists.yml
@@ -7,7 +7,7 @@
 
 policies:
   - name: ecc-aws-046-ensure_no_root_account_access_key_exists
-    comment: '010035000301'
+    comment: '010035002501'
     description: |
       Root user account access key exists
     resource: aws.account

diff --git a/policies/ecc-aws-050-iam_password_min_length_ge_14.yml b/policies/ecc-aws-050-iam_password_min_length_ge_14.yml
@@ -7,7 +7,7 @@
 
 policies:
   - name: ecc-aws-050-iam_password_min_length_ge_14
-    comment: '010022000301'
+    comment: '010022002501'
     description: |
       Password policy does not require minimum length of 14 characters or greater
     resource: aws.account

diff --git a/policies/ecc-aws-053-cloudtrail_log_validation_enabled.yml b/policies/ecc-aws-053-cloudtrail_log_validation_enabled.yml
@@ -7,7 +7,7 @@
 
 policies:
   - name: ecc-aws-053-cloudtrail_log_validation_enabled
-    comment: '010019010300'
+    comment: '010019012500'
     description: |
       CloudTrail log file validation is disabled
     resource: aws.cloudtrail

diff --git a/policies/ecc-aws-055-cloudtrail_integrated_with_cloudwatch.yml b/policies/ecc-aws-055-cloudtrail_integrated_with_cloudwatch.yml
@@ -7,7 +7,7 @@
 
 policies:
   - name: ecc-aws-055-cloudtrail_integrated_with_cloudwatch
-    comment: '010019010300'
+    comment: '010019012500'
     description: |
       CloudTrail trails are not integrated with CloudWatch Logs
     resource: aws.cloudtrail

diff --git a/...cies/ecc-aws-057-ensure_iam_instance_roles_are_used_for_resource_access_from_instance.yml b/...cies/ecc-aws-057-ensure_iam_instance_roles_are_used_for_resource_access_from_instance.yml
@@ -7,7 +7,7 @@
 
 policies:
   - name: ecc-aws-057-ensure_iam_instance_roles_are_used_for_resource_access_from_instance
-    comment: '010048000300'
+    comment: '010048002500'
     description: |
       IAM instance roles are not used for AWS resource access from instances
     resource: aws.ec2

diff --git a/policies/ecc-aws-059-config_enabled_all_regions.yml b/policies/ecc-aws-059-config_enabled_all_regions.yml
@@ -7,7 +7,7 @@
 
 policies:
   - name: ecc-aws-059-config_enabled_all_regions
-    comment: '010016010301'
+    comment: '010016012501'
     description: |
       AWS Config is not enabled in all regions
     resource: account

diff --git a/policies/ecc-aws-060-cloudtrail_logs_encrypted_using_KMS_CMKs.yml b/policies/ecc-aws-060-cloudtrail_logs_encrypted_using_KMS_CMKs.yml
@@ -7,7 +7,7 @@
 
 policies:
   - name: ecc-aws-060-cloudtrail_logs_encrypted_using_KMS_CMKs
-    comment: '010043010300'
+    comment: '010043012500'
     description: |
       CloudTrail logs are not encrypted at rest using KMS CMK
     resource: aws.cloudtrail

diff --git a/policies/ecc-aws-061-kms_key_rotation_is_enabled.yml b/policies/ecc-aws-061-kms_key_rotation_is_enabled.yml
@@ -7,7 +7,7 @@
 
 policies:
   - name: ecc-aws-061-kms_key_rotation_is_enabled
-    comment: '010029090300'
+    comment: '010029092500'
     description: |
       Rotation for symmetric customer-created CMKs is not enabled
     resource: aws.kms-key