Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ID Field for AWS Policies' Metadata #831

Merged
merged 2 commits into from
Jun 3, 2021
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -8,5 +8,6 @@
"description": "Enable AWS AMI Encryption",
"reference_id": "AWS.EC2.Encryption\u0026KeyManagement.Medium.0688",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_AWS_0005"
}
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,6 @@
"description": "Limit access to AWS AMIs",
"reference_id": "AWS.AMI.NS.Medium.1040",
"category": "Infrastructure Security",
"version": 2
"version": 2,
"id": "AC_AWS_0006"
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,5 +8,6 @@
"description": "Enable Detailed CloudWatch Metrics for APIs",
"reference_id": "AWS.API Gateway.Logging.Medium.0569",
"category": "Logging and Monitoring",
"version": 2
"version": 2,
"id": "AC_AWS_0007"
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,5 +8,6 @@
"description": "Enable Content Encoding",
"reference_id": "AWS.APIGateway.Medium.0568",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_AWS_0010"
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,5 +8,6 @@
"description": "API Gateway Private Endpoints",
"reference_id": "AWS.APIGateway.Network Security.Medium.0570",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_AWS_0011"
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,5 +8,6 @@
"description": "Enable AWS CloudWatch Logs for APIs",
"reference_id": "AWS.API Gateway.Logging.Medium.0567",
"category": "Logging and Monitoring",
"version": 1
"version": 1,
"id": "AC_AWS_0014"
}
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,10 @@
"policy_type": "aws",
"resource_type": "aws_api_gateway_stage",
"template_args": null,
"severity": "MEDIUM",
"severity": "LOW",
"description": "Ensure AWS API Gateway has active xray tracing enabled",
"reference_id": "AWS.API Gateway.Logging.Medium.0571",
"category": "Logging and Monitoring",
"version": 2
"version": 2,
"id": "AC_AWS_0015"
}
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,6 @@
"description": "Ensure that AWS CloudWatch logs are enabled for all your APIs created with Amazon API Gateway service in order to track and analyze execution behavior at the API stage level.",
"reference_id": "AWS.API Gateway.Logging.Medium.0572",
"category": "Logging and Monitoring",
"version": 2
"version": 2,
"id": "AC_AWS_0012"
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,5 +8,6 @@
"description": "Enable SSL Client Certificate",
"reference_id": "AWS.API Gateway.Network Security.Medium.0565",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_AWS_0013"
}
Original file line number Diff line number Diff line change
Expand Up @@ -11,5 +11,6 @@
"description": "Enable AWS CloudFormation Stack Notifications",
"reference_id": "AWS.CloudFormation.Medium.0603",
"category": "Security Best Practices",
"version": 1
"version": 1,
"id": "AC_AWS_0021"
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,5 +8,6 @@
"description": "Enable AWS CloudFormation Stack Termination Protection",
"reference_id": "AWS.CloudFormation.Medium.0605",
"category": "Security Best Practices",
"version": 1
"version": 1,
"id": "AC_AWS_0022"
}
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,10 @@
"template_args": {
"prefix": ""
},
"severity": "Medium",
"severity": "LOW",
"description": "Ensure that geo restriction is enabled for your Amazon CloudFront CDN distribution to whitelist or blacklist a country in order to allow or restrict users in specific locations from accessing web application content.",
"reference_id": "AC-AW-IS-CD-M-0026",
"category": "Infrastructure Security",
"version": 2
"version": 2,
"id": "AC_AWS_0026"
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,5 +8,6 @@
"description": "Ensure that cloud-front has web application firewall enabled",
"reference_id": "AC-AW-IS-CD-M-1186",
"category": "Infrastructure Security",
"version": 2
"version": 2,
"id": "AC_AWS_0032"
}
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,6 @@
"description": "Use encrypted connection between CloudFront and origin server",
"reference_id": "AWS.CloudFront.EncryptionandKeyManagement.High.0407",
"category": "Data Protection",
"version": 2
"version": 2,
"id": "AC_AWS_0024"
}
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,6 @@
"description": "Secure ciphers are not used in CloudFront distribution",
"reference_id": "AWS.CloudFront.EncryptionandKeyManagement.High.0408",
"category": "Data Protection",
"version": 2
"version": 2,
"id": "AC_AWS_0023"
}
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,6 @@
"description": "Ensure that your AWS Cloudfront distributions have the Logging feature enabled in order to track all viewer requests for the content delivered through the Content Delivery Network (CDN).",
"reference_id": "AWS.CloudFront.Logging.Medium.0567",
"category": "Logging and Monitoring",
"version": 2
"version": 2,
"id": "AC_AWS_0025"
}
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,6 @@
"description": "Ensure CloudTrail logs are encrypted using KMS",
"reference_id": "AWS.CloudTrail.Logging.High.0399",
"category": "Logging and Monitoring",
"version": 2
"version": 2,
"id": "AC_AWS_0033"
}
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
{
"name": "ecrmaketagsimmutable",
"file": "ecr_make_tags_immutable.rego",
"policy_type": "",
"resource_type": "",
"template_args": {
gaurav-gogia marked this conversation as resolved.
Show resolved Hide resolved
"prefix": ""
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,6 @@
"description": "Ensure appropriate subscribers to each SNS topic",
"reference_id": "AWS.CloudTrail.Logging.Low.0559",
"category": "Logging and Monitoring",
"version": 1
"version": 1,
"id": "AC_AWS_0035"
}
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
{
"name": "cloudTrailMultiRegionEnabled",
"file": "cloudTrailMultiRegion.rego",
"policy_type": "",
"resource_type": "",
"template_args": {
gaurav-gogia marked this conversation as resolved.
Show resolved Hide resolved
"prefix": ""
},
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
{
"name": "dynamoderecovery_enabled",
"file": "dynamodb_without_recovery_enabled.rego",
"policy_type": "",
"resource_type": "",
gaurav-gogia marked this conversation as resolved.
Show resolved Hide resolved
"template_args": {
"prefix": ""
},
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
{
"name": "ec2ebsnotoptimized",
"file": "ec2_ebs_not_optimized.rego",
"policy_type": "",
"resource_type": "",
gaurav-gogia marked this conversation as resolved.
Show resolved Hide resolved
"template_args": {
"prefix": ""
},
Expand Down
Original file line number Diff line number Diff line change
@@ -1,12 +1,15 @@
{
"name": "cloudTrailMultiRegionNotCreated",
"file": "cloudTrailMultiRegionNotCreated.rego",
"policy_type": "",
"resource_type": "",
"template_args": {
"prefix": ""
},
"severity": "MEDIUM",
"description": "Cloud Trail Multi Region not enabled",
"reference_id": "AWS.CloudTrail.Logging.Medium.0460",
"category": "Logging",
"version": 2
"category": "Logging and Monitoring",
"version": 2,
"id": "AC_AWS_0034"
}
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
{
"name": "configEnabledForAllRegions",
"file": "configEnabled.rego",
"policy_type": "",
"resource_type": "",
"template_args": {
gaurav-gogia marked this conversation as resolved.
Show resolved Hide resolved
"prefix": ""
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,5 +8,6 @@
"description": "App-Tier CloudWatch Log Group Retention Period",
"reference_id": "AWS.CloudWatch.Logging.Medium.0631",
"category": "Logging and Monitoring",
"version": 2
"version": 2,
"id": "AC_AWS_0041"
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,5 +8,6 @@
"description": "Ensure AWS Config Rule is enabled for Encrypted Volumes",
"reference_id": "AWS.Config.Encryption\u0026KeyManagement.Medium.0660",
"category": "Data Protection",
"version": 1
"version": 1,
"id": "AC_AWS_0048"
}
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,6 @@
"description": "Ensure AWS Config is enabled in all regions",
"reference_id": "AWS.Config.Logging.HIGH.0590",
"category": "Logging and Monitoring",
"version": 2
"version": 2,
"id": "AC_AWS_0049"
}
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,6 @@
"description": "RDS Instance Auto Minor Version Upgrade flag disabled",
"reference_id": "AWS.RDS.DS.High.1041",
"category": "Data Protection",
"version": 2
"version": 2,
"id": "AC_AWS_0056"
}
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,6 @@
"description": "Ensure Certificate used in RDS instance is updated",
"reference_id": "AWS.RDS.DS.High.1042",
"category": "Data Protection",
"version": 2
"version": 2,
"id": "AC_AWS_0057"
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,5 +8,6 @@
"description": "Ensure that your RDS database instances encrypt the underlying storage. Encrypted RDS instances use the industry standard AES-256 encryption algorithm to encrypt data on the server that hosts RDS DB instances. After data is encrypted, RDS handles authentication of access and descryption of data transparently with minimal impact on performance.",
"reference_id": "AWS.RDS.DataSecurity.High.0414",
"category": "Data Protection",
"version": 1
"version": 1,
"id": "AC_AWS_0058"
}
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,10 @@
"template_args": {
"prefix": ""
},
"severity": "HIGH",
"severity": "MEDIUM",
"description": "Ensure that your RDS database has IAM Authentication enabled.",
"reference_id": "AWS.RDS.DataSecurity.High.0577",
"category": "Data Protection",
"version": 2
"version": 2,
"id": "AC_AWS_0053"
}
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,6 @@
"description": "RDS Instance publicly_accessible flag is true",
"reference_id": "AWS.RDS.NS.High.0101",
"category": "Infrastructure Security",
"version": 2
"version": 2,
"id": "AC_AWS_0054"
}
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,6 @@
"description": "RDS should not be defined with public interface. Firewall and router configurations should be used to restrict connections between untrusted networks and any system components in the cloud environment.",
"reference_id": "AWS.RDS.NetworkSecurity.High.0101",
"category": "Infrastructure Security",
"version": 2
"version": 2,
"id": "AC_AWS_0066"
}
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,6 @@
"description": "RDS should not be open to a public scope. Firewall and router configurations should be used to restrict connections between untrusted networks and any system components in the cloud environment.",
"reference_id": "AWS.RDS.NetworkSecurity.High.0102",
"category": "Infrastructure Security",
"version": 2
"version": 2,
"id": "AC_AWS_0067"
}
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,6 @@
"description": "RDS should not be open to a large scope. Firewall and router configurations should be used to restrict connections between untrusted networks and any system components in the cloud environment.",
"reference_id": "AWS.RDS.NetworkSecurity.High.0103",
"category": "Infrastructure Security",
"version": 2
"version": 2,
"id": "AC_AWS_0065"
}
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,6 @@
"description": "Ensure that the AWS EBS that hold sensitive and critical data is encrypted by default to fulfill compliance requirements for data-at-rest encryption.",
"reference_id": "AWS.EBS.DataSecurity.High.0580",
"category": "Data Protection",
"version": 2
"version": 2,
"id": "AC_AWS_0079"
}
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,6 @@
"description": "Unscanned images may contain vulnerabilities",
"reference_id": "AWS.ECR.DataSecurity.High.0578",
"category": "Configuration and Vulnerability Analysis",
"version": 2
"version": 2,
"id": "AC_AWS_0083"
}
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,6 @@
"description": "Identify any exposed Amazon ECR image repositories available within your AWS account and update their permissions in order to protect against unauthorized access. Amazon Elastic Container Registry (ECR) is a managed Docker registry service that makes it easy for DevOps teams to store, manage and deploy Docker container images. An ECR repository is a collection of Docker images available on AWS cloud.",
"reference_id": "AWS.ECR.DataSecurity.High.0579",
"category": "Identity and Access Management",
"version": 2
"version": 2,
"id": "AC_AWS_0084"
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,5 +8,6 @@
"description": "Ensure there are no ECS services Admin roles",
"reference_id": "AWS.ECS.High.0436",
"category": "Identity and Access Management",
"version": 1
"version": 1,
"id": "AC_AWS_0087"
}
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,6 @@
"description": "Like any other EC2 instance it is recommended to place ECS instance within a VPC. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations",
"reference_id": "AWS.EcsCluster.NetworkSecurity.High.0104",
"category": "Infrastructure Security",
"version": 2
"version": 2,
"id": "AC_AWS_0088"
}
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@
"description": "Sensitive Information Disclosure",
"reference_id": "AWS.LaunchConfiguration.DataSecurity.High.0101",
"category": "Data Protection",
"version": 1
"version": 1,
"id": "AC_AWS_0095"
}
Loading