Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWS Risk Category Changes #603

Merged
merged 2 commits into from
Mar 12, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,6 @@
"severity": "MEDIUM",
"description": "Enable AWS AMI Encryption",
"reference_id": "AWS.EC2.Encryption\u0026KeyManagement.Medium.0688",
"category": "Encryption \u0026 KeyManagement",
"category": "Infrastructure Security",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,6 @@
"severity": "MEDIUM",
"description": "Limit access to AWS AMIs",
"reference_id": "AWS.AMI.NS.Medium.1040",
"category": "Network Security",
"category": "Infrastructure Security",
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,6 @@
"severity": "MEDIUM",
"description": "Enable Detailed CloudWatch Metrics for APIs",
"reference_id": "AWS.API Gateway.Logging.Medium.0569",
"category": "Logging",
"category": "Logging and Monitoring",
"version": 2
}
18 changes: 9 additions & 9 deletions pkg/policies/opa/rego/aws/aws_api_gateway_rest_api/AWS.APIGateway.Medium.0568.json
100755 → 100644
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
{
"name": "apiGatewayContentEncoding",
"file": "apiGatewayContentEncoding.rego",
"template_args": null,
"severity": "MEDIUM",
"description": "Enable Content Encoding",
"reference_id": "AWS.APIGateway.Medium.0568",
"category": " ",
"version": 1
}
"name": "apiGatewayContentEncoding",
"file": "apiGatewayContentEncoding.rego",
"template_args": null,
"severity": "MEDIUM",
"description": "Enable Content Encoding",
"reference_id": "AWS.APIGateway.Medium.0568",
"category": "Infrastructure Security",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,6 @@
"severity": "MEDIUM",
"description": "API Gateway Private Endpoints",
"reference_id": "AWS.APIGateway.Network Security.Medium.0570",
"category": "Network Security",
"category": "Infrastructure Security",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,6 @@
"severity": "MEDIUM",
"description": "Enable AWS CloudWatch Logs for APIs",
"reference_id": "AWS.API Gateway.Logging.Medium.0567",
"category": "Logging",
"category": "Logging and Monitoring",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,6 @@
"severity": "MEDIUM",
"description": "Enable Active Tracing",
"reference_id": "AWS.API Gateway.Logging.Medium.0571",
"category": "Logging",
"category": "Logging and Monitoring",
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,6 @@
"severity": "MEDIUM",
"description": "Ensure that AWS CloudWatch logs are enabled for all your APIs created with Amazon API Gateway service in order to track and analyze execution behavior at the API stage level.",
"reference_id": "AWS.API Gateway.Logging.Medium.0572",
"category": "Logging",
"category": "Logging and Monitoring",
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,6 @@
"severity": "MEDIUM",
"description": "Enable SSL Client Certificate",
"reference_id": "AWS.API Gateway.Network Security.Medium.0565",
"category": "Network Security",
"category": "Infrastructure Security",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,6 @@
"severity": "Medium",
"description": "Insecure Cross-Origin Resource Sharing Configuration allowing all domains",
"reference_id": "AWS.ApiGatewayV2Api.AccessControl.0630",
"category": "AccessControl",
"category": "Security Best Practices",
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,6 @@
"severity": "Low",
"description": "AWS API Gateway V2 Stage is missing access logs",
"reference_id": "AWS.ApiGatewayV2Stage.Logging.0630",
"category": "Logging",
"category": "Logging and Monitoring",
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,6 @@
"severity": "MEDIUM",
"description": "AWS CloudFormation Not In Use",
"reference_id": "AWS.CloudFormation.Medium.0599",
"category": " ",
"category": "Security Best Practices",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,6 @@
"severity": "MEDIUM",
"description": "Enable AWS CloudFormation Stack Notifications",
"reference_id": "AWS.CloudFormation.Medium.0603",
"category": " ",
"category": "Security Best Practices",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,6 @@
"severity": "MEDIUM",
"description": "AWS CloudFormation Stack Policy",
"reference_id": "AWS.CloudFormation.Medium.0604",
"category": " ",
"category": "Security Best Practices",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,6 @@
"severity": "MEDIUM",
"description": "Enable AWS CloudFormation Stack Termination Protection",
"reference_id": "AWS.CloudFormation.Medium.0605",
"category": " ",
"category": "Security Best Practices",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,6 @@
"severity": "Medium",
"description": "Ensure that cloud-front has web application firewall enabled",
"reference_id": "AC-AW-IS-CD-M-1186",
"category": "Encryption and Key Management",
"category": "Infrastructure Security",
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,6 @@
"severity": "HIGH",
"description": "Use encrypted connection between CloudFront and origin server",
"reference_id": "AWS.CloudFront.EncryptionandKeyManagement.High.0407",
"category": "Encryption and Key Management",
"category": "Data Protection",
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,6 @@
"severity": "HIGH",
"description": "Secure ciphers are not used in CloudFront distribution",
"reference_id": "AWS.CloudFront.EncryptionandKeyManagement.High.0408",
"category": "Encryption and Key Management",
"category": "Data Protection",
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,6 @@
"severity": "MEDIUM",
"description": "Ensure that your AWS Cloudfront distributions have the Logging feature enabled in order to track all viewer requests for the content delivered through the Content Delivery Network (CDN).",
"reference_id": "AWS.CloudFront.Logging.Medium.0567",
"category": "Logging",
"category": "Logging and Monitoring",
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,6 @@
"severity": "HIGH",
"description": "Cloud Trail Log Not Enabled",
"reference_id": "AWS.CloudTrail.Logging.High.0399",
"category": "Logging",
"category": "Logging and Monitoring",
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,6 @@
"severity": "MEDIUM",
"description": "Ensure appropriate subscribers to each SNS topic",
"reference_id": "AWS.CloudTrail.Logging.Low.0559",
"category": "Logging",
"category": "Logging and Monitoring",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,6 @@
"severity": "MEDIUM",
"description": "Cloud Trail Multi Region not enabled",
"reference_id": "AWS.CloudTrail.Logging.Medium.0460",
"category": "Logging",
"category": "Logging and Monitoring",
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,6 @@
"severity": "HIGH",
"description": "AWS CloudWatch log group is not encrypted with a KMS CMK",
"reference_id": "AWS.CloudWatch.EncryptionandKeyManagement.High.0632",
"category": "Encryption and Key Management",
"category": "Data Protection",
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,6 @@
"severity": "MEDIUM",
"description": "App-Tier CloudWatch Log Group Retention Period",
"reference_id": "AWS.CloudWatch.Logging.Medium.0631",
"category": "Logging",
"category": "Logging and Monitoring",
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,6 @@
"severity": "MEDIUM",
"description": "Ensure AWS Config Rule is enabled for Encrypted Volumes",
"reference_id": "AWS.Config.Encryption\u0026KeyManagement.Medium.0660",
"category": "Encryption \u0026 Key Management",
"category": "Data Protection",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,6 @@
"severity": "HIGH",
"description": "Ensure AWS Config is enabled in all regions",
"reference_id": "AWS.Config.Logging.HIGH.0590",
"category": "Logging",
"category": "Logging and Monitoring",
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,6 @@
"severity": "HIGH",
"description": "RDS Instance Auto Minor Version Upgrade flag disabled",
"reference_id": "AWS.RDS.DS.High.1041",
"category": "Data Security",
"category": "Data Protection",
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,6 @@
"severity": "HIGH",
"description": "Ensure Certificate used in RDS instance is updated",
"reference_id": "AWS.RDS.DS.High.1042",
"category": "Data Security",
"category": "Data Protection",
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,6 @@
"severity": "HIGH",
"description": "Ensure that your RDS database instances encrypt the underlying storage. Encrypted RDS instances use the industry standard AES-256 encryption algorithm to encrypt data on the server that hosts RDS DB instances. After data is encrypted, RDS handles authentication of access and descryption of data transparently with minimal impact on performance.",
"reference_id": "AWS.RDS.DataSecurity.High.0414",
"category": "Data Security",
"category": "Data Protection",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,6 @@
"severity": "HIGH",
"description": "Ensure that your RDS database has IAM Authentication enabled.",
"reference_id": "AWS.RDS.DataSecurity.High.0577",
"category": "Data Security",
"category": "Data Protection",
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
},
"severity": "HIGH",
"description": "RDS Instance publicly_accessible flag is true",
"reference_id": "AWS.AWS RDS.NS.High.0101",
"category": "Network Security",
"reference_id": "AWS.RDS.NS.High.0101",
"category": "Infrastructure Security",
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,6 @@
"severity": "HIGH",
"description": "RDS should not be defined with public interface. Firewall and router configurations should be used to restrict connections between untrusted networks and any system components in the cloud environment.",
"reference_id": "AWS.RDS.NetworkSecurity.High.0101",
"category": "Network Security",
"category": "Infrastructure Security",
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,6 @@
"severity": "HIGH",
"description": "RDS should not be open to a public scope. Firewall and router configurations should be used to restrict connections between untrusted networks and any system components in the cloud environment.",
"reference_id": "AWS.RDS.NetworkSecurity.High.0102",
"category": "Network Security",
"category": "Infrastructure Security",
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,6 @@
"severity": "HIGH",
"description": "RDS should not be open to a large scope. Firewall and router configurations should be used to restrict connections between untrusted networks and any system components in the cloud environment.",
"reference_id": "AWS.RDS.NetworkSecurity.High.0103",
"category": "Network Security",
"category": "Infrastructure Security",
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,6 @@
"severity": "HIGH",
"description": "Ensure that the AWS EBS that hold sensitive and critical data is encrypted by default to fulfill compliance requirements for data-at-rest encryption.",
"reference_id": "AWS.EBS.DataSecurity.High.0580",
"category": "Data Security",
"category": "Data Protection",
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,6 @@
"severity": "HIGH",
"description": "Enable AWS EBS Snapshot Encryption",
"reference_id": "AWS.EBS.EKM.Medium.0682",
"category": "Encryption and Key Management",
"category": "Data Protection",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,6 @@
"severity": "HIGH",
"description": "Ensure that AWS EBS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS EBS clusters and associated cache storage systems.",
"reference_id": "AWS.EcsCluster.EncryptionandKeyManagement.High.0413",
"category": "Encryption and Key Management",
"category": "Data Protection",
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,6 @@
"severity": "MEDIUM",
"description": "Unscanned images may contain vulnerabilities",
"reference_id": "AWS.ECR.DataSecurity.High.0578",
"category": "Data Security",
"category": "Configuration and Vulnerability Analysis",
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,6 @@
"severity": "HIGH",
"description": "Identify any exposed Amazon ECR image repositories available within your AWS account and update their permissions in order to protect against unauthorized access. Amazon Elastic Container Registry (ECR) is a managed Docker registry service that makes it easy for DevOps teams to store, manage and deploy Docker container images. An ECR repository is a collection of Docker images available on AWS cloud.",
"reference_id": "AWS.ECR.DataSecurity.High.0579",
"category": "Data Security",
"category": "Identity and Access Management",
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,6 @@
"severity": "HIGH",
"description": "Like any other EC2 instance it is recommended to place ECS instance within a VPC. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations",
"reference_id": "AWS.EcsCluster.NetworkSecurity.High.0104",
"category": "Network Security",
"category": "Infrastructure Security",
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,6 @@
"severity": "HIGH",
"description": "Sensitive Information Disclosure",
"reference_id": "AWS.LaunchConfiguration.DataSecurity.High.0101",
"category": "Data Security",
"category": "Data Protection",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,6 @@
"severity": "HIGH",
"description": "Enable encryption of your EFS file systems in order to protect your data and metadata from breaches or unauthorized access and fulfill compliance requirements for data-at-rest encryption within your organization.",
"reference_id": "AWS.EFS.EncryptionandKeyManagement.High.0409",
"category": "Encryption and Key Management",
"category": "Data Protection",
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,6 @@
"severity": "HIGH",
"description": "Enable encryption of your EFS file systems in order to protect your data and metadata from breaches or unauthorized access and fulfill compliance requirements for data-at-rest encryption within your organization.",
"reference_id": "AWS.EFS.EncryptionandKeyManagement.High.0410",
"category": "Encryption and Key Management",
"category": "Data Protection",
"version": 2
}
Loading