added iam policies

avd_docs/aws/iam/AVD-AWS-0329/docs.md

@@ -0,0 +1,13 @@
+
+Ensures all groups have at least one member
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_WorkingWithGroupsAndUsers.html
+
+

avd_docs/aws/iam/AVD-AWS-0330/docs.md

@@ -0,0 +1,13 @@
+
+Ensures that an IAM role, group or user exists with specific permissions to access support center.
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html
+
+

avd_docs/aws/iam/AVD-AWS-0331/docs.md

@@ -0,0 +1,13 @@
+
+Ensure that at least one IAM user exists so that access to your AWS services and resources is made only through IAM users instead of the root account.
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
+
+

avd_docs/aws/iam/AVD-AWS-0332/docs.md

@@ -0,0 +1,13 @@
+
+Ensures password policy enforces a password expiration
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingPasswordPolicies.html
+
+

avd_docs/aws/iam/AVD-AWS-0333/docs.md

@@ -0,0 +1,13 @@
+
+Ensures password policy requires at least one lowercase letter
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingPasswordPolicies.html
+
+

avd_docs/aws/iam/AVD-AWS-0334/docs.md

@@ -0,0 +1,13 @@
+
+Ensures password policy requires the use of numbers
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingPasswordPolicies.html
+
+

avd_docs/aws/iam/AVD-AWS-0335/docs.md

@@ -0,0 +1,13 @@
+
+Ensures password policy requires at least one uppercase letter
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingPasswordPolicies.html
+
+

avd_docs/aws/iam/AVD-AWS-0336/docs.md

@@ -0,0 +1,13 @@
+
+Ensures password policy requires the use of symbols
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingPasswordPolicies.html
+
+

internal/adapters/cloud/aws/iam/iam.go

@@ -74,6 +74,7 @@ func (a *adapter) adaptPasswordPolicy(state *state.State) error {
 	if policy.PasswordReusePrevention != nil {
 		reusePrevention = int(*policy.PasswordReusePrevention)
 	}
+
 	maxAge := 0
 	if policy.MaxPasswordAge != nil {
 		maxAge = int(*policy.MaxPasswordAge)
@@ -89,6 +90,7 @@ func (a *adapter) adaptPasswordPolicy(state *state.State) error {
 		RequireUppercase:     types.Bool(policy.RequireUppercaseCharacters, metadata),
 		RequireNumbers:       types.Bool(policy.RequireNumbers, metadata),
 		RequireSymbols:       types.Bool(policy.RequireSymbols, metadata),
+		ExpirePasswords:      types.Bool(policy.ExpirePasswords, metadata),
 		MaxAgeDays:           types.Int(maxAge, metadata),
 		MinimumLength:        types.Int(minimumLength, metadata),
 	}

internal/adapters/cloudformation/aws/iam/iam.go

@@ -16,6 +16,7 @@ func Adapt(cfFile parser.FileContext) iam.IAM {
 			RequireUppercase:     defsecTypes.BoolDefault(false, defsecTypes.NewUnmanagedMetadata()),
 			RequireNumbers:       defsecTypes.BoolDefault(false, defsecTypes.NewUnmanagedMetadata()),
 			RequireSymbols:       defsecTypes.BoolDefault(false, defsecTypes.NewUnmanagedMetadata()),
+			ExpirePasswords:      defsecTypes.BoolDefault(false, defsecTypes.NewUnmanagedMetadata()),
 			MaxAgeDays:           defsecTypes.IntDefault(0, defsecTypes.NewUnmanagedMetadata()),
 			MinimumLength:        defsecTypes.IntDefault(0, defsecTypes.NewUnmanagedMetadata()),
 		},

internal/adapters/terraform/aws/iam/passwords.go

@@ -59,6 +59,11 @@ func adaptPasswordPolicy(modules terraform.Modules) iam.PasswordPolicy {
 	} else {
 		policy.ReusePreventionCount = defsecTypes.IntDefault(0, policyBlock.GetMetadata())
 	}
+	if attr := policyBlock.GetAttribute("expire_passwords"); attr.IsNotNil() {
+		policy.ExpirePasswords = defsecTypes.BoolExplicit(attr.IsTrue(), attr.GetMetadata())
+	} else {
+		policy.ExpirePasswords = defsecTypes.BoolDefault(false, policyBlock.GetMetadata())
+	}
 	if attr := policyBlock.GetAttribute("max_password_age"); attr.IsNumber() {
 		value := attr.AsNumber()
 		policy.MaxAgeDays = defsecTypes.IntExplicit(int(value), attr.GetMetadata())
@@ -71,6 +76,5 @@ func adaptPasswordPolicy(modules terraform.Modules) iam.PasswordPolicy {
 	} else {
 		policy.MinimumLength = defsecTypes.IntDefault(0, policyBlock.GetMetadata())
 	}
-
 	return policy
 }

internal/rules/policies/cloud/policies/aws/iam/empty_groups.rego

@@ -0,0 +1,25 @@
+# METADATA
+# title: "Empty Groups"
+# description: "Ensures all groups have at least one member"
+# scope: package
+# schemas:
+# - input: schema.input
+# related_resources:
+# - http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_WorkingWithGroupsAndUsers.html
+# custom:
+#   avd_id: AVD-AWS-0329
+#   provider: aws
+#   service: iam
+#   severity: HIGH
+#   short_code: empty_groups
+#   recommended_action: "Remove unused groups without users"
+#   input:
+#     selector:
+#     - type: cloud
+package builtin.aws.iam.aws0329
+
+deny[res] {
+	group := input.aws.iam.groups[_]
+	not group.users
+	res := result.new("Group does not contain any users", group)
+}

internal/rules/policies/cloud/policies/aws/iam/empty_groups_test.rego

@@ -0,0 +1,11 @@
+package builtin.aws.iam.aws0329
+
+test_detects_not_empty_group {
+	r := deny with input as {"aws": {"iam": {"groups": [{"users": [{"name": {"value": "user"}}]}]}}}
+	count(r) == 0
+}
+
+test_when_empty_group {
+	r := deny with input as {"aws": {"iam": {"groups": [{}]}}}
+	count(r) == 1
+}

internal/rules/policies/cloud/policies/aws/iam/iam_support_policy.rego

@@ -0,0 +1,25 @@
+# METADATA
+# title: "IAM Support Policy"
+# description: "Ensures that an IAM role, group or user exists with specific permissions to access support center."
+# scope: package
+# schemas:
+# - input: schema.input
+# related_resources:
+# - https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html
+# custom:
+#   avd_id: AVD-AWS-0330
+#   provider: aws
+#   service: iam
+#   severity: HIGH
+#   short_code: iam_support_policy
+#   recommended_action: "Ensure that an IAM role has permission to access support center."
+#   input:
+#     selector:
+#     - type: cloud
+package builtin.aws.iam.aws0330
+
+deny[res] {
+    found := [policy| policy = input.aws.iam.policies[_]; policy.name.value == "AWSSupportAccess"]
+    count(found) == 0
+	res := result.new("No role, user or group attached to the AWSSupportAccess policy", "")
+}

internal/rules/policies/cloud/policies/aws/iam/iam_support_policy_test.rego

@@ -0,0 +1,11 @@
+package builtin.aws.iam.aws0330
+
+test_detects_has_not_support_policy {
+	r := deny with input as {"aws": {"iam": {"policies": [{"name": {"value": "AWSSupportAccess"}}]}}}
+	count(r) == 0
+}
+
+test_when_has_support_policy {
+	r := deny with input as {"aws": {"iam": {"policies": [{"name": {"value": "s3-migration"}}]}}}
+	count(r) == 1
+}

internal/rules/policies/cloud/policies/aws/iam/iam_user_present.rego

@@ -0,0 +1,24 @@
+# METADATA
+# title: "IAM User Present"
+# description: "Ensure that at least one IAM user exists so that access to your AWS services and resources is made only through IAM users instead of the root account."
+# scope: package
+# schemas:
+# - input: schema.input
+# related_resources:
+# - https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
+# custom:
+#   avd_id: AVD-AWS-0331
+#   provider: aws
+#   service: iam
+#   severity: HIGH
+#   short_code: iam_user_present
+#   recommended_action: "Create IAM user(s) and use them to access AWS services and resources."
+#   input:
+#     selector:
+#     - type: cloud
+package builtin.aws.iam.aws0331
+
+deny[res] {
+	count(input.aws.iam.users) == 0
+	res := result.new("No users found", "")
+}

internal/rules/policies/cloud/policies/aws/iam/iam_user_present_test.rego

@@ -0,0 +1,11 @@
+package builtin.aws.iam.aws0331
+
+test_detects_has_users{
+	r := deny with input as {"aws": {"iam": {"users": [{"name": {"value": "user"}}]}}}
+	count(r) == 0
+}
+
+test_when_has_no_user{
+	r := deny with input as {"aws": {"iam": {"users": []}}}
+	count(r) == 1
+}

internal/rules/policies/cloud/policies/aws/iam/password_expiration.rego

@@ -0,0 +1,30 @@
+# METADATA
+# title: "Password Expiration"
+# description: "Ensures password policy enforces a password expiration"
+# scope: package
+# schemas:
+# - input: schema.input
+# related_resources:
+# - http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingPasswordPolicies.html
+# custom:
+#   avd_id: AVD-AWS-0332
+#   provider: aws
+#   service: iam
+#   severity: HIGH
+#   short_code: password_expiration
+#   recommended_action: "Enable password expiration for the account"
+#   input:
+#     selector:
+#     - type: cloud
+package builtin.aws.iam.aws0332
+
+deny[res] {
+	policy := input.aws.iam.passwordpolicy
+    not policy.expirepasswords.value
+	res := result.new("Password expiration policy is not set to expire passwords", policy.expirepasswords)
+}{
+    policy := input.aws.iam.passwordpolicy
+    policy.expirepasswords.value
+    policy.maxagedays.value > 180
+	res := result.new("Password expiration days is greater than 180", policy.maxagedays)
+}

internal/rules/policies/cloud/policies/aws/iam/password_expiration_test.rego

@@ -0,0 +1,16 @@
+package builtin.aws.iam.aws0332
+
+test_detects_has_no_password_policy {
+	r := deny with input as {"aws": {"iam": {"passwordpolicy": {"expirepasswords": {"value": false}}}}}
+	count(r) == 1
+}
+
+test_when_has_expiration_greater_than_180{
+	r := deny with input as {"aws": {"iam": {"passwordpolicy": {"expirepasswords": {"value": true},"maxagedays": {"value": 185}}}}}
+	count(r) == 1
+}
+
+test_when_has_expiration_suitable{
+	r := deny with input as {"aws": {"iam": {"passwordpolicy": {"expirepasswords": {"value": true},"maxagedays": {"value": 90}}}}}
+	count(r) == 0
+}

internal/rules/policies/cloud/policies/aws/iam/password_requires_lowercase.rego

@@ -0,0 +1,25 @@
+# METADATA
+# title: "Password Requires Lowercase"
+# description: "Ensures password policy requires at least one lowercase letter"
+# scope: package
+# schemas:
+# - input: schema.input
+# related_resources:
+# - http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingPasswordPolicies.html
+# custom:
+#   avd_id: AVD-AWS-0333
+#   provider: aws
+#   service: iam
+#   severity: HIGH
+#   short_code: password_requires_lowercase
+#   recommended_action: "Update the password policy to require the use of lowercase letters"
+#   input:
+#     selector:
+#     - type: cloud
+package builtin.aws.iam.aws0333
+
+deny[res] {
+	policy := input.aws.iam.passwordpolicy
+    not policy.requirelowercase.value
+	res := result.new("Password policy does not require lowercase characters", policy.requirelowercase)
+}

internal/rules/policies/cloud/policies/aws/iam/password_requires_lowercase_test.rego

@@ -0,0 +1,11 @@
+package builtin.aws.iam.aws0333
+
+test_detects_not_requires_lowercase {
+	r := deny with input as {"aws": {"iam": {"passwordpolicy": {"requirelowercase": {"value": false}}}}}
+	count(r) == 1
+}
+
+test_detects_requires_lowercase {
+	r := deny with input as {"aws": {"iam": {"passwordpolicy": {"requirelowercase": {"value": true}}}}}
+	count(r) == 0
+}

internal/rules/policies/cloud/policies/aws/iam/password_requires_numbers.rego

@@ -0,0 +1,25 @@
+# METADATA
+# title: "Password Requires Numbers"
+# description: "Ensures password policy requires the use of numbers"
+# scope: package
+# schemas:
+# - input: schema.input
+# related_resources:
+# - http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingPasswordPolicies.html
+# custom:
+#   avd_id: AVD-AWS-0334
+#   provider: aws
+#   service: iam
+#   severity: HIGH
+#   short_code: password_requires_lowercase
+#   recommended_action: "Update the password policy to require the use of numbers"
+#   input:
+#     selector:
+#     - type: cloud
+package builtin.aws.iam.aws0334
+
+deny[res] {
+	policy := input.aws.iam.passwordpolicy
+    not policy.requirenumbers.value
+	res := result.new("Password policy does not require numbers", policy.requirenumbers)
+}

internal/rules/policies/cloud/policies/aws/iam/password_requires_numbers_test.rego

@@ -0,0 +1,11 @@
+package builtin.aws.iam.aws0334
+
+test_detects_not_requires_numbers {
+	r := deny with input as {"aws": {"iam": {"passwordpolicy": {"requirenumbers": {"value": false}}}}}
+	count(r) == 1
+}
+
+test_detects_requires_numbers {
+	r := deny with input as {"aws": {"iam": {"passwordpolicy": {"requirenumbers": {"value": true}}}}}
+	count(r) == 0
+}