updated with new resource_type format (#33)

tenable · Aug 19, 2021 · 8e59f38 · 8e59f38
1 parent 1ae0a45
commit 8e59f38
Show file tree

Hide file tree

Showing 322 changed files with 5,864 additions and 5,402 deletions.
diff --git a/pkg/policies/opa/rego/aws/aws_api_gateway_stage/AWS.API Gateway.Logging.Medium.0567.json b/pkg/policies/opa/rego/aws/aws_api_gateway_stage/AWS.API Gateway.Logging.Medium.0567.json
@@ -3,7 +3,8 @@
     "file": "apiGatewayName.rego",
     "policy_type": "aws",
     "resource_type": {
-        "aws_api_gateway_stage": true
+        "aws_api_gateway_stage": true,
+        "aws_cloudwatch_log_group": true
     },
     "template_args": null,
     "severity": "MEDIUM",

diff --git a/pkg/policies/opa/rego/aws/aws_cloudformation_stack/AWS.CloudFormation.Medium.0605.json b/pkg/policies/opa/rego/aws/aws_cloudformation_stack/AWS.CloudFormation.Medium.0605.json
@@ -3,7 +3,8 @@
     "file": "cloudFormationTerminationProtection.rego",
     "policy_type": "aws",
     "resource_type": {
-        "aws_cloudformation_stack": true
+        "aws_cloudformation_stack": true,
+        "aws_cloudformation_stack_set_instance": true
     },
     "template_args": null,
     "severity": "MEDIUM",

diff --git a/pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.Low.009.json b/pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.Low.009.json
@@ -3,7 +3,8 @@
     "file": "ecr_make_tags_immutable.rego",
     "policy_type": "aws",
     "resource_type": {
-        "aws_cloudtrail": true
+        "aws_cloudtrail": true,
+        "aws_ecr_repository": true
     },
     "template_args": {
         "prefix": ""

diff --git a/pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.Medium.008.json b/pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.Medium.008.json
@@ -3,7 +3,8 @@
     "file": "ec2_ebs_not_optimized.rego",
     "policy_type": "aws",
     "resource_type": {
-        "aws_cloudtrail": true
+        "aws_cloudtrail": true,
+        "aws_instance": true
     },
     "template_args": {
         "prefix": ""

diff --git a/pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.Config.Logging.Medium.0590.json b/pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.Config.Logging.Medium.0590.json
@@ -3,7 +3,8 @@
     "file": "configEnabled.rego",
     "policy_type": "aws",
     "resource_type": {
-        "aws_cloudtrail": true
+        "aws_cloudtrail": true,
+        "aws_config_configuration_aggregator": true
     },
     "template_args": {
         "prefix": ""

diff --git a/...cies/opa/rego/aws/aws_cloudwatch/AWS.CloudWatch.EncryptionandKeyManagement.High.0632.json b/...cies/opa/rego/aws/aws_cloudwatch/AWS.CloudWatch.EncryptionandKeyManagement.High.0632.json
@@ -3,7 +3,8 @@
     "file": "logGroupNotEncryptedWithKms.rego",
     "policy_type": "aws",
     "resource_type": {
-        "aws_cloudwatch": true
+        "aws_cloudwatch": true,
+        "aws_cloudwatch_log_group": true
     },
     "template_args": null,
     "severity": "HIGH",

diff --git a/pkg/policies/opa/rego/aws/aws_cloudwatch/AWS.CloudWatch.Logging.Medium.0631.json b/pkg/policies/opa/rego/aws/aws_cloudwatch/AWS.CloudWatch.Logging.Medium.0631.json
@@ -3,7 +3,8 @@
     "file": "awsCloudWatchRetentionPreiod.rego",
     "policy_type": "aws",
     "resource_type": {
-        "aws_cloudwatch": true
+        "aws_cloudwatch": true,
+        "aws_cloudwatch_log_group": true
     },
     "template_args": null,
     "severity": "MEDIUM",

diff --git a/pkg/policies/opa/rego/aws/aws_ebs_volume/AWS.EBS.EKM.Medium.0682.json b/pkg/policies/opa/rego/aws/aws_ebs_volume/AWS.EBS.EKM.Medium.0682.json
@@ -3,7 +3,8 @@
     "file": "ebsSnapshot.rego",
     "policy_type": "aws",
     "resource_type": {
-        "aws_ebs_volume": true
+        "aws_ebs_volume": true,
+        "aws_ebs_snapshot": true
     },
     "template_args": {
         "name": "ebsSnapshotDisabled",

diff --git a/pkg/policies/opa/rego/aws/aws_instance/AC-AW-IA-IN-H-0442.json b/pkg/policies/opa/rego/aws/aws_instance/AC-AW-IA-IN-H-0442.json
@@ -3,7 +3,9 @@
     "file": "overlyPermissiveInstance.rego",
     "policy_type": "aws",
     "resource_type": {
-        "aws_instance": true
+        "aws_instance": true,
+        "aws_iam_role_policy_attachment": true,
+        "aws_iam_policy": true
     },
     "template_args": {
         "prefix": ""

diff --git a/pkg/policies/opa/rego/aws/aws_instance/AC-AW-IS-IN-H-0443.json b/pkg/policies/opa/rego/aws/aws_instance/AC-AW-IS-IN-H-0443.json
@@ -3,7 +3,11 @@
     "file": "instanceExposedToInternet.rego",
     "policy_type": "aws",
     "resource_type": {
-        "aws_instance": true
+        "aws_instance": true,
+        "aws_security_group": true,
+        "aws_route_table": true,
+        "aws_subnet": true,
+        "aws_route_table_association": true
     },
     "template_args": {
         "prefix": ""

diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0227.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0227.json
@@ -1,22 +1,23 @@
 {
-	"name": "port22OpenToInternet",
-	"file": "portOpenToInternet.rego",
-	"policy_type": "aws",
-	"resource_type": {
-		"aws_security_group": true
-	},
-	"template_args": {
-		"defaultValue": "<cidr>",
-		"name": "port22OpenToInternet",
-		"portNumber": 22,
-		"prefix": "",
-		"protocol": "tcp",
-		"suffix": ""
-	},
-	"severity": "HIGH",
-	"description": "Security Groups - Unrestricted Specific Ports - (SSH,22)",
-	"reference_id": "AC_AWS_0227",
-	"category": "Infrastructure Security",
-	"version": 2,
-	"id": "AC_AWS_0227"
+    "name": "port22OpenToInternet",
+    "file": "portOpenToInternet.rego",
+    "policy_type": "aws",
+    "resource_type": {
+        "aws_security_group": true,
+        "aws_security_group_rule": true
+    },
+    "template_args": {
+        "defaultValue": "<cidr>",
+        "name": "port22OpenToInternet",
+        "portNumber": 22,
+        "prefix": "",
+        "protocol": "tcp",
+        "suffix": ""
+    },
+    "severity": "HIGH",
+    "description": "Security Groups - Unrestricted Specific Ports - (SSH,22)",
+    "reference_id": "AC_AWS_0227",
+    "category": "Infrastructure Security",
+    "version": 2,
+    "id": "AC_AWS_0227"
 }
diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0228.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0228.json
@@ -1,22 +1,23 @@
 {
-	"name": "port80OpenToInternet",
-	"file": "portOpenToInternet.rego",
-	"policy_type": "aws",
-	"resource_type": {
-		"aws_security_group": true
-	},
-	"template_args": {
-		"defaultValue": "<cidr>",
-		"name": "port80OpenToInternet",
-		"portNumber": 80,
-		"prefix": "",
-		"protocol": "tcp",
-		"suffix": ""
-	},
-	"severity": "HIGH",
-	"description": "Security Groups - Unrestricted Specific Ports - (HTTP,80)",
-	"reference_id": "AC_AWS_0228",
-	"category": "Infrastructure Security",
-	"version": 2,
-	"id": "AC_AWS_0228"
+    "name": "port80OpenToInternet",
+    "file": "portOpenToInternet.rego",
+    "policy_type": "aws",
+    "resource_type": {
+        "aws_security_group": true,
+        "aws_security_group_rule": true
+    },
+    "template_args": {
+        "defaultValue": "<cidr>",
+        "name": "port80OpenToInternet",
+        "portNumber": 80,
+        "prefix": "",
+        "protocol": "tcp",
+        "suffix": ""
+    },
+    "severity": "HIGH",
+    "description": "Security Groups - Unrestricted Specific Ports - (HTTP,80)",
+    "reference_id": "AC_AWS_0228",
+    "category": "Infrastructure Security",
+    "version": 2,
+    "id": "AC_AWS_0228"
 }
diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0229.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0229.json
@@ -1,22 +1,23 @@
 {
-	"name": "port443OpenToInternet",
-	"file": "portOpenToInternet.rego",
-	"policy_type": "aws",
-	"resource_type": {
-		"aws_security_group": true
-	},
-	"template_args": {
-		"defaultValue": "<cidr>",
-		"name": "port443OpenToInternet",
-		"portNumber": 443,
-		"prefix": "",
-		"protocol": "tcp",
-		"suffix": ""
-	},
-	"severity": "LOW",
-	"description": "Security Groups - Unrestricted Specific Ports - (HTTPS,443)",
-	"reference_id": "AC_AWS_0229",
-	"category": "Infrastructure Security",
-	"version": 2,
-	"id": "AC_AWS_0229"
+    "name": "port443OpenToInternet",
+    "file": "portOpenToInternet.rego",
+    "policy_type": "aws",
+    "resource_type": {
+        "aws_security_group": true,
+        "aws_security_group_rule": true
+    },
+    "template_args": {
+        "defaultValue": "<cidr>",
+        "name": "port443OpenToInternet",
+        "portNumber": 443,
+        "prefix": "",
+        "protocol": "tcp",
+        "suffix": ""
+    },
+    "severity": "LOW",
+    "description": "Security Groups - Unrestricted Specific Ports - (HTTPS,443)",
+    "reference_id": "AC_AWS_0229",
+    "category": "Infrastructure Security",
+    "version": 2,
+    "id": "AC_AWS_0229"
 }
diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0230.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0230.json
@@ -1,22 +1,23 @@
 {
-	"name": "port3389OpenToInternet",
-	"file": "portOpenToInternet.rego",
-	"policy_type": "aws",
-	"resource_type": {
-		"aws_security_group": true
-	},
-	"template_args": {
-		"defaultValue": "<cidr>",
-		"name": "port3389OpenToInternet",
-		"portNumber": 3389,
-		"prefix": "",
-		"protocol": "tcp",
-		"suffix": ""
-	},
-	"severity": "HIGH",
-	"description": "Security Groups - Unrestricted Specific Ports - remote desktop port (TCP,3389)",
-	"reference_id": "AC_AWS_0230",
-	"category": "Infrastructure Security",
-	"version": 2,
-	"id": "AC_AWS_0230"
+    "name": "port3389OpenToInternet",
+    "file": "portOpenToInternet.rego",
+    "policy_type": "aws",
+    "resource_type": {
+        "aws_security_group": true,
+        "aws_security_group_rule": true
+    },
+    "template_args": {
+        "defaultValue": "<cidr>",
+        "name": "port3389OpenToInternet",
+        "portNumber": 3389,
+        "prefix": "",
+        "protocol": "tcp",
+        "suffix": ""
+    },
+    "severity": "HIGH",
+    "description": "Security Groups - Unrestricted Specific Ports - remote desktop port (TCP,3389)",
+    "reference_id": "AC_AWS_0230",
+    "category": "Infrastructure Security",
+    "version": 2,
+    "id": "AC_AWS_0230"
 }
diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0231.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0231.json
@@ -1,20 +1,21 @@
 {
-	"name": "unrestrictedIngressAccess",
-	"file": "unrestrictedIngressAccess.rego",
-	"policy_type": "aws",
-	"resource_type": {
-		"aws_security_group": true
-	},
-	"template_args": {
-		"defaultValue": "<cidr>",
-		"name": "unrestrictedIngressAccess",
-		"prefix": "",
-		"suffix": ""
-	},
-	"severity": "HIGH",
-	"description": "Ensure no security groups allow ingress from 0.0.0.0/0 to ALL ports and protocols",
-	"reference_id": "AC_AWS_0231",
-	"category": "Infrastructure Security",
-	"version": 2,
-	"id": "AC_AWS_0231"
+    "name": "unrestrictedIngressAccess",
+    "file": "unrestrictedIngressAccess.rego",
+    "policy_type": "aws",
+    "resource_type": {
+        "aws_security_group": true,
+        "aws_security_group_rule": true
+    },
+    "template_args": {
+        "defaultValue": "<cidr>",
+        "name": "unrestrictedIngressAccess",
+        "prefix": "",
+        "suffix": ""
+    },
+    "severity": "HIGH",
+    "description": "Ensure no security groups allow ingress from 0.0.0.0/0 to ALL ports and protocols",
+    "reference_id": "AC_AWS_0231",
+    "category": "Infrastructure Security",
+    "version": 2,
+    "id": "AC_AWS_0231"
 }
diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0232.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0232.json
@@ -1,19 +1,20 @@
 {
-	"name": "defaultSGNotRestrictsAllTraffic",
-	"file": "defaultSGNotRestrictsAllTraffic.rego",
-	"policy_type": "aws",
-	"resource_type": {
-		"aws_security_group": true
-	},
-	"template_args": {
-		"name": "defaultSGNotRestrictsAllTraffic",
-		"prefix": "",
-		"suffix": ""
-	},
-	"severity": "HIGH",
-	"description": "Ensure no default security groups are used as they allow ingress from 0.0.0.0/0 to ALL ports and protocols",
-	"reference_id": "AC_AWS_0232",
-	"category": "Infrastructure Security",
-	"version": 2,
-	"id": "AC_AWS_0232"
+    "name": "defaultSGNotRestrictsAllTraffic",
+    "file": "defaultSGNotRestrictsAllTraffic.rego",
+    "policy_type": "aws",
+    "resource_type": {
+        "aws_security_group": true,
+        "aws_security_group_rule": true
+    },
+    "template_args": {
+        "name": "defaultSGNotRestrictsAllTraffic",
+        "prefix": "",
+        "suffix": ""
+    },
+    "severity": "HIGH",
+    "description": "Ensure no default security groups are used as they allow ingress from 0.0.0.0/0 to ALL ports and protocols",
+    "reference_id": "AC_AWS_0232",
+    "category": "Infrastructure Security",
+    "version": 2,
+    "id": "AC_AWS_0232"
 }