Add rules for EKS CIS section 5.1

applications/openshift/registry/approved_registries/rule.yml

@@ -0,0 +1,30 @@
+documentation_complete: true
+
+prodtype: eks
+
+title: 'Only use approved container registries'
+
+description: |-
+  Use approved container registries.
+
+rationale: |-
+  Allowing unrestricted access to external container registries provides the
+  opportunity for malicious or unapproved containers to be deployed into the
+  cluster. Allowlisting only approved container registries reduces this risk.
+
+severity: unknown
+
+identifiers:
+  cce@eks: CCE-86901-6
+
+references:
+  cis@eks: 5.1.4
+
+ocil_clause: 'container images come from approved registries'
+
+ocil: |-
+  Ensure all containers and images are coming from approved registries.
+
+  References:
+
+  https://aws.amazon.com/blogs/opensource/using-open-policy-agent-on-amazon-eks/

applications/openshift/registry/group.yml

@@ -1,7 +1,7 @@
 documentation_complete: true
 
-prodtype: ocp4
+prodtype: ocp4,eks
 
-title: 'OpenShift - Registry Security Practices'
+title: 'Kubernetes - Registry Security Practices'
 
-description: 'Contains evaluations for OpenShift registry security practices, and cluster-wide registry configuration.'
+description: 'Contains evaluations for Kubernetes registry security practices, and cluster-wide registry configuration.'

applications/openshift/registry/image_scanning/rule.yml

@@ -0,0 +1,48 @@
+documentation_complete: true
+
+prodtype: eks
+
+title: 'Ensure Image Vulnerability Scanning'
+
+description: |-
+  Scan images being deployed to Amazon EKS for vulnerabilities.
+
+rationale: |-
+  Vulnerabilities in software packages can be exploited by hackers or malicious
+  users to obtain unauthorized access to local cloud resources. Amazon ECR and
+  other third party products allow images to be scanned for known
+  vulnerabilities.
+
+severity: unknown
+
+identifiers:
+  cce@eks: CCE-88990-7
+
+references:
+  cis@eks: 5.1.1
+
+ocil_clause: 'image vulnerability scanning is enabled'
+
+ocil: |-
+  Please follow AWS ECS or your 3rd party image scanning provider's guidelines
+  for enabling Image Scanning.
+
+  Remediation:
+
+  To utilize AWS ECR for Image scanning please follow the steps below:
+
+  To create a repository configured for scan on push (AWS CLI)
+
+  <tt>aws ecr create-repository --repository-name <i>$REPO_NAME</i> --image-scanning- configuration scanOnPush=true --region <i>$REGION_CODE</i></tt>
+
+  To edit the settings of an existing repository (AWS CLI)
+
+  <tt>aws ecr put-image-scanning-configuration --repository-name <i>$REPO_NAME</i> -- image-scanning-configuration scanOnPush=true --region <i>$REGION_CODE</i></tt>
+
+  Use the following steps to start a manual image scan using the AWS Management Console.
+
+  1. Open the Amazon ECR console at https://console.aws.amazon.com/ecr/repositories.
+  2. From the navigation bar, choose the Region to create your repository in.
+  3. In the navigation pane, choose Repositories.
+  4. On the Repositories page, choose the repository that contains the image to scan.
+  5. On the Images page, select the image to scan and then choose Scan.

applications/openshift/registry/read_only_registry_access/rule.yml

@@ -0,0 +1,57 @@
+documentation_complete: true
+
+prodtype: eks
+
+title: 'Ensure Cluster Service Account with read-only access to Amazon ECR'
+
+description: |-
+  Configure the Cluster Service Account with Storage Object Viewer Role to only
+  allow read- only access to Amazon ECR.
+
+rationale: |-
+  The Cluster Service Account does not require administrative access to Amazon
+  ECR, only requiring pull access to containers to deploy onto Amazon EKS.
+  Restricting permissions follows the principles of least privilege and
+  prevents credentials from being abused beyond the required role.
+
+severity: unknown
+
+identifiers:
+  cce@eks: CCE-86681-4
+
+references:
+  cis@eks: 5.1.3
+
+ocil_clause: 'Cluster Service Account has read-only access to Amazon ECR'
+
+ocil: |-
+  Review AWS ECS worker node IAM role (NodeInstanceRole) IAM Policy Permissions
+  to verify that they are set and the minimum required level. If utilizing a
+  3rd party tool to scan images utilize the minimum required permission level
+  required to interact with the cluster - generally this should be read-only.
+
+  Remediation:
+
+  You can use your Amazon ECR images with Amazon EKS, but you need to satisfy
+  the following prerequisites.
+  The Amazon EKS worker node IAM role (NodeInstanceRole) that you use with your
+  worker nodes must possess the following IAM policy permissions for Amazon
+  ECR.
+
+  <tt>
+  {
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+        "Action": [
+          "ecr:BatchCheckLayerAvailability",
+          "ecr:BatchGetImage",
+          "ecr:GetDownloadUrlForLayer",
+          "ecr:GetAuthorizationToken"
+        ],
+        "Resource": "*"
+      }
+    ]
+  }
+  </tt>

applications/openshift/registry/registry_access/rule.yml

@@ -0,0 +1,119 @@
+documentation_complete: true
+
+prodtype: eks
+
+title: 'Minimize user access to Amazon ECR'
+
+description: |-
+  Restrict user access to Amazon ECR, limiting interaction with build images to
+  only authorized personnel and service accounts.
+
+rationale: |-
+  Weak access control to Amazon ECR may allow malicious users to replace built
+  images with vulnerable containers.
+
+severity: unknown
+
+identifiers:
+  cce@eks: CCE-89643-1
+
+references:
+  cis@eks: 5.1.2
+
+ocil_clause: 'access to the container image registry is restricted'
+
+ocil: |-
+  Remediation:
+
+  Before you use IAM to manage access to Amazon ECR, you should understand what
+  IAM features are available to use with Amazon ECR. To get a high-level view
+  of how Amazon ECR and other AWS services work with IAM, see AWS Services That
+  Work with IAM in the IAM User Guide.
+
+  <b>Topics</b>
+
+  <ol>
+  <li>Amazon ECR Identity-Based Policies</li>
+  <li>Amazon ECR Resource-Based Policies</li>
+  <li>Authorization Based on Amazon ECR Tags</li>
+  <li>Amazon ECR IAM Roles</li>
+  </ol>
+
+  <b>Amazon ECR Identity-Based Policies</b>
+
+  With IAM identity-based policies, you can specify allowed or denied actions
+  and resources as well as the conditions under which actions are allowed or
+  denied. Amazon ECR supports specific actions, resources, and condition keys.
+  To learn about all of the elements that you use in a JSON policy, see IAM
+  JSON Policy Elements Reference in the IAM User Guide.
+
+  <b>Actions</b>
+
+  The Action element of an IAM identity-based policy describes the specific
+  action or actions that will be allowed or denied by the policy. Policy
+  actions usually have the same name as the associated AWS API operation. The
+  action is used in a policy to grant permissions to perform the associated
+  operation.
+
+  Policy actions in Amazon ECR use the following prefix before the action:
+  ecr:. For example, to grant someone permission to create an Amazon ECR
+  repository with the Amazon ECR CreateRepository API operation, you include
+  the ecr:CreateRepository action in their policy. Policy statements must
+  include either an Action or NotAction element. Amazon ECR defines its own set
+  of actions that describe tasks that you can perform with this service. To
+  specify multiple actions in a single statement, separate them with commas as
+  follows: <tt>"Action": [ "ecr:action1", "ecr:action2"</tt> You can specify
+  multiple actions using wildcards (<tt>*</tt>). For example, to specify all
+  actions that begin with the word Describe, include the following action:
+  <tt>"Action": "ecr:Describe*"</tt> To see a list of Amazon ECR actions, see
+  Actions, Resources, and Condition Keys for Amazon Elastic Container
+  Registry in the IAM User Guide.
+
+  <b>Resources</b>
+
+  The Resource element specifies the object or objects to which the action
+  applies. Statements must include either a Resource or a NotResource element.
+  You specify a resource using an ARN or using the wildcard (<tt>*</tt>) to
+  indicate that the statement applies to all resources.
+
+  An Amazon ECR repository resource has the following ARN:
+  <tt>arn:$<i>{Partition}</i>:ecr:$<i>{Region}</i>:$<i>{Account}</i>:repository/$<i>{Repository-name}</i></tt>
+  For more information about the format of ARNs, see Amazon Resource Names
+  (ARNs) and AWS Service Namespaces.
+  For example, to specify the my-repo repository in the us-east-1 Region in
+  your statement, use the following ARN:
+  <tt>"Resource": "arn:aws:ecr:us-east-1:123456789012:repository/my-repo"</tt>
+  To specify all repositories that belong to a specific account, use the
+  wildcard (<tt>*</tt>): "Resource":
+  <tt>"arn:aws:ecr:us-east-1:123456789012:repository/*"</tt>
+  To specify multiple resources in a single statement, separate the ARNs with
+  commas. <tt>"Resource": [ "resource1", "resource2"</tt>
+  To see a list of Amazon ECR resource types and their ARNs, see Resources
+  Defined by Amazon Elastic Container Registry in the IAM User Guide. To learn
+  with which actions you can specify the ARN of each resource, see Actions
+  Defined by Amazon Elastic Container Registry.
+
+  <b>Condition Keys</b>
+
+  The Condition element (or Condition block) lets you specify conditions in
+  which a statement is in effect. The Condition element is optional. You can
+  build conditional expressions that use condition operators, such as equals or
+  less than, to match the condition in the policy with values in the request.
+  If you specify multiple Condition elements in a statement, or multiple keys
+  in a single Condition element, AWS evaluates them using a logical AND
+  operation. If you specify multiple values for a single condition key, AWS
+  evaluates the condition using a logical OR operation. All of the conditions
+  must be met before the statement's permissions are granted.
+  You can also use placeholder variables when you specify conditions. For
+  example, you can grant an IAM user permission to access a resource only if it
+  is tagged with their IAM user name. For more information, see IAM Policy
+  Elements: Variables and Tags in the IAM User Guide.
+  Amazon ECR defines its own set of condition keys and also supports using some global
+  condition keys. To see all AWS global condition keys, see AWS Global Condition Context
+  Keys in the IAM User Guide.
+  Most Amazon ECR actions support the aws:ResourceTag and ecr:ResourceTag
+  condition keys. For more information, see Using Tag-Based Access Control. To
+  see a list of Amazon ECR condition keys, see Condition Keys Defined by Amazon
+  Elastic Container Registry in the IAM User Guide. To learn with which actions
+  and resources you can use a condition key, see Actions Defined by Amazon
+  Elastic Container Registry.

controls/cis_eks.yml

@@ -816,7 +816,8 @@ controls:
         for known vulnerabilities.
       levels:
       - level_1
-      rules: []
+      rules:
+      - image_scanning
     - id: 5.1.2
       title: >-
         5.1.2 Minimize user access to Amazon ECR
@@ -836,7 +837,8 @@ controls:
         built images with vulnerable containers.
       levels:
       - level_1
-      rules: []
+      rules:
+      - registry_access
     - id: 5.1.3
       title: >-
         5.1.3 Minimize cluster access to read-only for Amazon ECR
@@ -859,7 +861,8 @@ controls:
           required role.
       levels:
       - level_1
-      rules: []
+      rules:
+      - read_only_registry_access
     - id: 5.1.4
       title: >-
         5.1.4 Minimize Container Registries to only those approved
@@ -879,7 +882,8 @@ controls:
           registries reduces this risk.
       levels:
       - level_2
-      rules: []
+      rules:
+      - approved_registries
   - id: '5.2'
     title: >-
       5.2 Identity and Access Management (IAM)

shared/references/cce-redhat-avail.txt

@@ -705,7 +705,6 @@ CCE-86677-2
 CCE-86678-0
 CCE-86679-8
 CCE-86680-6
-CCE-86681-4
 CCE-86682-2
 CCE-86683-0
 CCE-86684-8
@@ -906,7 +905,6 @@ CCE-86897-6
 CCE-86898-4
 CCE-86899-2
 CCE-86900-8
-CCE-86901-6
 CCE-86902-4
 CCE-86905-7
 CCE-86906-5
@@ -2912,7 +2910,6 @@ CCE-88986-5
 CCE-88987-3
 CCE-88988-1
 CCE-88989-9
-CCE-88990-7
 CCE-88991-5
 CCE-88992-3
 CCE-88993-1
@@ -3541,7 +3538,6 @@ CCE-89639-9
 CCE-89640-7
 CCE-89641-5
 CCE-89642-3
-CCE-89643-1
 CCE-89644-9
 CCE-89645-6
 CCE-89646-4