AWS policy pack update (#737)

pkg/policies/opa/rego/aws/aws_athena_database/AC_AWS_016.json

@@ -0,0 +1,12 @@
+{
+    "name": "athenaDatabaseEncrypted",
+    "file": "athenaDatabaseEncrypted.rego",
+    "template_args": {
+        "prefix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Ensure Athena Database is encrypted at rest",
+    "reference_id": "AC_AWS_016",
+    "category": "Data Protection",
+    "version": 2
+}

pkg/policies/opa/rego/aws/aws_athena_database/athenaDatabaseEncrypted.rego

@@ -0,0 +1,6 @@
+package accurics
+
+{{.prefix}}athenaDatabaseEncrypted[athena.id]{
+    athena = input.aws_athena_database[_]
+	object.get(athena.config, "encryption_configuration", "undefined") = ["undefined", []][_]
+}

pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.High.0399.json

@@ -5,7 +5,7 @@
         "prefix": ""
     },
     "severity": "HIGH",
-    "description": "Cloud Trail Log Not Enabled",
+    "description": "Ensure CloudTrail logs are encrypted using KMS",
     "reference_id": "AWS.CloudTrail.Logging.High.0399",
     "category": "Logging and Monitoring",
     "version": 2

pkg/policies/opa/rego/aws/aws_cloudtrail/cloudTrailLogNotEncrypted.rego

@@ -1,9 +1,6 @@
 package accurics
 
-{{.prefix}}cloudTrailLogNotEncrypted[retVal]{
+{{.prefix}}cloudTrailLogNotEncrypted[cloud_trail.id]{
     cloud_trail = input.aws_cloudtrail[_]
-    cloud_trail.config.kms_key_id == null
-
-    traverse = "kms_key_id"
-    retVal := { "Id": cloud_trail.id, "ReplaceType": "edit", "CodeType": "attribute", "Traverse": traverse, "Attribute": "kms_key_id", "AttributeDataType": "string", "Expected": "<kms_key_id>", "Actual": cloud_trail.config.kms_key_id }
+    object.get(cloud_trail.config, "kms_key_id", "undefined") == [null, "undefined"][_]
 }

pkg/policies/opa/rego/aws/aws_dax_cluster/AC_AWS_021.json

@@ -0,0 +1,12 @@
+{
+    "name": "daxSse",
+    "file": "daxSse.rego",
+    "template_args": {
+        "prefix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Ensure DAX is encrypted at rest",
+    "reference_id": "AC_AWS_021",
+    "category": "Data Protection",
+    "version": 2
+}

pkg/policies/opa/rego/aws/aws_dax_cluster/daxSse.rego

@@ -0,0 +1,12 @@
+package accurics
+
+{{.prefix}}daxSse[dax_cluster.id] {
+    dax_cluster := input.aws_dax_cluster[_]
+    object.get(dax_cluster.config, "server_side_encryption", "undefined") == [[], "undefined"][_]
+}
+
+{{.prefix}}daxSse[dax_cluster.id] {
+    dax_cluster := input.aws_dax_cluster[_]
+    sse_encryption := dax_cluster.config.server_side_encryption[_]
+    sse_encryption.enabled == false
+}

pkg/policies/opa/rego/aws/aws_doc_db/AC_AWS_022.json

@@ -0,0 +1,12 @@
+{
+    "name": "docDbEncrypted",
+    "file": "docDbEncrypted.rego",
+    "template_args": {
+        "prefix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Ensure DocDb is encrypted at rest",
+    "reference_id": "AC_AWS_022",
+    "category": "Data Protection",
+    "version": 2
+}

pkg/policies/opa/rego/aws/aws_doc_db/docDbEncrypted.rego

@@ -0,0 +1,11 @@
+package accurics
+
+{{.prefix}}docDbEncrypted[doc_cluster.id] {
+    doc_cluster := input.aws_docdb_cluster[_]
+    object.get(doc_cluster.config, "storage_encrypted", "undefined") == [false, "undefined"][_]
+}
+
+{{.prefix}}docDbEncrypted[doc_cluster.id] {
+    doc_cluster := input.aws_docdb_cluster[_]
+    object.get(doc_cluster.config, "kms_key_id", "undefined") == "undefined"
+}

pkg/policies/opa/rego/aws/aws_dynamodb_table/AC_AWS_025.json

@@ -0,0 +1,12 @@
+{
+    "name": "dynamoDbEncrypted",
+    "file": "dynamoDbEncrypted.rego",
+    "template_args": {
+        "prefix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Ensure DynamoDb is encrypted at rest",
+    "reference_id": "AC_AWS_025",
+    "category": "Data Protection",
+    "version": 2
+}

pkg/policies/opa/rego/aws/aws_dynamodb_table/dynamoDbEncrypted.rego

@@ -0,0 +1,12 @@
+package accurics
+
+{{.prefix}}dynamoDbEncrypted[dydb_cluster.id] {
+    dydb_cluster := input.aws_dynamodb_table[_]
+    object.get(dydb_cluster.config, "server_side_encryption", "undefined") == [[], "undefined"][_]
+}
+
+{{.prefix}}dynamoDbEncrypted[dydb_cluster.id] {
+    dydb_cluster := input.aws_dynamodb_table[_]
+    sse_encryption := dydb_cluster.config.server_side_encryption[_]
+    sse_encryption.enabled == false
+}

pkg/policies/opa/rego/aws/aws_ecr_repository/AC_AWS_026.json

@@ -0,0 +1,12 @@
+{
+    "name": "ecrNotEncrypted",
+    "file": "ecrNotEncrypted.rego",
+    "template_args": {
+        "prefix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Ensure ECR repository is encrypted at rest",
+    "reference_id": "AC_AWS_026",
+    "category": "Data Protection",
+    "version": 2
+}

pkg/policies/opa/rego/aws/aws_ecr_repository/ecrNotEncrypted.rego

@@ -0,0 +1,11 @@
+package accurics
+
+{{.prefix}}ecrNotEncrypted[ecr.id] {
+    ecr := input.aws_ecr_repository[_]
+    object.get(ecr.config, "encryption_configuration", "undefined") == ["undefined", []][_]
+}
+
+{{.prefix}}ecrNotEncrypted[ecr.id] {
+    ecr := input.aws_ecr_repository[_]
+    ecr.config.encryption_configuration[_] == {}
+}

pkg/policies/opa/rego/aws/aws_ecs_task_definition/AC_AWS_043.json

@@ -0,0 +1,12 @@
+{
+    "name": "noTransitEncryptionECS",
+    "file": "noTransitEncryptionECS.rego",
+    "template_args": {
+        "prefix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Ensure EFS volume used for ECS task defination has in transit encryption enabled",
+    "reference_id": "AC_AWS_043",
+    "category": "Infrastructure Security",
+    "version": 2
+}

pkg/policies/opa/rego/aws/aws_ecs_task_definition/noTransitEncryptionECS.rego

@@ -0,0 +1,7 @@
+package accurics
+
+{{.prefix}}noTransitEncryptionECS[ecs.id]{
+	ecs := input.aws_ecs_task_definition[_]
+    efs := ecs.config.volume[_].efs_volume_configuration[_]
+    object.get(efs, "transit_encryption", "undefined") == ["undefined", false, ""][_]
+}

pkg/policies/opa/rego/aws/aws_elasticcache_replication_group/AC_AWS_027.json

@@ -0,0 +1,12 @@
+{
+    "name": "atRestNotEncryptedElasticCache",
+    "file": "atRestNotEncrypted.rego",
+    "template_args": {
+        "prefix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Ensure Elastic Cache Replication Group is encrypted at rest",
+    "reference_id": "AC_AWS_027",
+    "category": "Data Protection",
+    "version": 2
+}

pkg/policies/opa/rego/aws/aws_elasticcache_replication_group/AC_AWS_044.json

@@ -0,0 +1,12 @@
+{
+    "name": "inTransitNotEncryptedElasticCache",
+    "file": "inTransitNotEncrypted.rego",
+    "template_args": {
+        "prefix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Ensure Elastic Cache Replication Group is encrypted in transit",
+    "reference_id": "AC_AWS_044",
+    "category": "Data Protection",
+    "version": 2
+}

pkg/policies/opa/rego/aws/aws_elasticcache_replication_group/atRestNotEncrypted.rego

@@ -0,0 +1,6 @@
+package accurics
+
+{{.prefix}}atRestNotEncryptedElasticCache[replication_grp.id] {
+    replication_grp := input.aws_elasticache_replication_group[_]
+    object.get(replication_grp.config, "at_rest_encryption_enabled", "undefined") == [false, "undefined"][_]
+}

pkg/policies/opa/rego/aws/aws_elasticcache_replication_group/inTransitNotEncrypted.rego

@@ -0,0 +1,6 @@
+package accurics
+
+{{.prefix}}inTransitNotEncryptedElasticCache[replication_grp.id] {
+    replication_grp := input.aws_elasticache_replication_group[_]
+    object.get(replication_grp.config, "transit_encryption_enabled", "undefined") == [false, "undefined"][_]
+}

pkg/policies/opa/rego/aws/aws_elasticsearch_domain/AC_AWS_045.json

@@ -0,0 +1,12 @@
+{
+    "name": "noNodeToNodeEncryptionDomain",
+    "file": "noNodeToNodeEncryptionDomain.rego",
+    "template_args": {
+        "prefix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Ensure Elasticsearch domains being created are set to be encrypted node-to-node",
+    "reference_id": "AC_AWS_045",
+    "category": "Infrastructure Security",
+    "version": 2
+}

pkg/policies/opa/rego/aws/aws_elasticsearch_domain/noNodeToNodeEncryptionDomain.rego

@@ -0,0 +1,11 @@
+package accurics
+
+{{.prefix}}noNodeToNodeEncryptionDomain[domain.id] {
+    domain := input.aws_elasticsearch_domain[_]
+    object.get(domain.config, "node_to_node_encryption", "undefined") == "undefined"
+}
+
+{{.prefix}}noNodeToNodeEncryptionDomain[domain.id] {
+    domain := input.aws_elasticsearch_domain[_]
+    object.get(domain.config.node_to_node_encryption[_], "enabled", "undefined") == ["undefined", false][_]
+}

pkg/policies/opa/rego/aws/aws_kinesis_stream/AWS.Kinesis.EncryptionandKeyManagement.High.0412.json

@@ -5,7 +5,7 @@
         "prefix": ""
     },
     "severity": "HIGH",
-    "description": "Kinesis Streams and metadata are not protected",
+    "description": "Ensure Kinesis Stream is encrypted",
     "reference_id": "AWS.Kinesis.EncryptionandKeyManagement.High.0412",
     "category": "Data Protection",
     "version": 2

pkg/policies/opa/rego/aws/aws_kinesis_stream/aws_kinesis_stream.rego

@@ -1,8 +1,11 @@
 package accurics
 
-{{.prefix}}kinesisNotEncryptedWithKms[retVal] {
+{{.prefix}}kinesisNotEncryptedWithKms[stream.id] {
     stream = input.aws_kinesis_stream[_]
     stream.config.kms_key_id == null
-    traverse = ""
-    retVal := { "Id": stream.id, "ReplaceType": "edit", "CodeType": "attribute", "Traverse": traverse, "Attribute": "kms_key_id", "AttributeDataType": "string", "Expected": "<kms_key_id>", "Actual": null }
+}
+
+{{.prefix}}kinesisNotEncryptedWithKms[stream.id] {
+    stream = input.aws_kinesis_stream[_]
+    object.get(stream.config, "encryption_type", "undefined") == ["NONE", "undefined"][_]
 }

pkg/policies/opa/rego/aws/aws_kms_key/AC_AWS_012.json

@@ -0,0 +1,12 @@
+{
+    "name": "kmsKeyRotationDisabled",
+    "file": "kmsKeyRotationDisabled.rego",
+    "template_args": {
+        "prefix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Ensure rotation for customer created CMKs is enabled",
+    "reference_id": "AC_AWS_012",
+    "category": "Security Best Practices",
+    "version": 2
+}

pkg/policies/opa/rego/aws/aws_kms_key/kmsKeyRotationDisabled.rego

@@ -2,8 +2,7 @@ package accurics
 
 {{.prefix}}kmsKeyRotationDisabled[retVal] {
     kms_key = input.aws_kms_key[_]
-    kms_key.config.is_enabled == true
-    kms_key.config.enable_key_rotation == false
+    object.get(kms_key.config, "enable_key_rotation", "undefined") == [false, "undefined"][_]
     traverse = "enable_key_rotation"
-    retVal := { "Id": kms_key.id, "ReplaceType": "edit", "CodeType": "attribute", "Traverse": traverse, "Attribute": "enable_key_rotation", "AttributeDataType": "bool", "Expected": true, "Actual": kms_key.config.enable_key_rotation }
+    retVal := { "Id": kms_key.id, "ReplaceType": "edit", "CodeType": "attribute", "Traverse": traverse, "Attribute": "enable_key_rotation", "AttributeDataType": "bool", "Expected": true, "Actual": null }
 }

pkg/policies/opa/rego/aws/aws_lb_listener/AC_AWS_046.json

@@ -0,0 +1,12 @@
+{
+    "name": "listenerNotHttps",
+    "file": "listenerNotHttps.rego",
+    "template_args": {
+        "prefix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Ensure there is a one listener configured on HTTPs",
+    "reference_id": "AC_AWS_046",
+    "category": "Infrastructure Security",
+    "version": 2
+}

pkg/policies/opa/rego/aws/aws_lb_listener/listenerNotHttps.rego

@@ -0,0 +1,13 @@
+package accurics
+
+{{.prefix}}listenerNotHttps[listener.id] {
+    listener = input.aws_lb_listener[_]
+    upper(listener.config.protocol) == "HTTP"
+    not listener.default_action.redirect.protocol
+}
+
+{{.prefix}}listenerNotHttps[listener.id] {
+    listener = input.aws_lb_listener[_]
+    upper(listener.config.protocol) == "HTTP"
+    upper(listener.default_action.redirect.protocol) != "HTTPS"
+}

pkg/policies/opa/rego/aws/aws_lb_target_group/AC_AWS_042.json

@@ -0,0 +1,12 @@
+{
+    "name": "targetGroupUsingHttp",
+    "file": "targetGroupUsingHttp.rego",
+    "template_args": {
+        "prefix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Ensure Target Group use HTTPs to ensure end to end encryption",
+    "reference_id": "AC_AWS_042",
+    "category": "Infrastructure Security",
+    "version": 2
+}

pkg/policies/opa/rego/aws/aws_lb_target_group/targetGroupUsingHttp.rego

@@ -0,0 +1,6 @@
+package accurics
+
+{{.prefix}}targetGroupUsingHttp[tg_group.id] {
+    tg_group = input.aws_lb_target_group[_]
+    upper(tg_group.config.protocol) == "HTTP"
+}

pkg/policies/opa/rego/aws/aws_neptune_cluster/AC_AWS_030.json

@@ -0,0 +1,12 @@
+{
+    "name": "neptuneClusterNotEncrypted",
+    "file": "neptuneClusterNotEncrypted.rego",
+    "template_args": {
+        "prefix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Ensure Neptune Cluster is Encrypted",
+    "reference_id": "AC_AWS_030",
+    "category": "Data Protection",
+    "version": 2
+}

pkg/policies/opa/rego/aws/aws_neptune_cluster/neptuneClusterNotEncrypted.rego

@@ -0,0 +1,6 @@
+package accurics
+
+{{.prefix}}neptuneClusterNotEncrypted[np.id] {
+    np = input.aws_neptune_cluster[_]
+    object.get(np.config, "storage_encrypted", "undefined") == [false, "undefined"][_]
+}

pkg/policies/opa/rego/aws/aws_rds_cluster/AC_AWS_013.json

@@ -0,0 +1,12 @@
+{
+    "name": "backupRetentionRDS",
+    "file": "backupRetention.rego",
+    "template_args": {
+        "prefix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Ensure backup retention period is set for rds cluster",
+    "reference_id": "AC_AWS_013",
+    "category": "Resilience",
+    "version": 2
+}

pkg/policies/opa/rego/aws/aws_rds_cluster/backupRetention.rego

@@ -0,0 +1,11 @@
+package accurics
+
+{{.prefix}}backupRetentionRDS[rds.id]{
+    rds = input.aws_rds_cluster[_]
+	object.get(rds.config, "backup_retention_period", "undefined") == "undefined"
+}
+
+{{.prefix}}backupRetention[rds.id]{
+    rds = input.aws_rds_cluster[_]
+	rds.config.backup_retention_period <= 7
+}