From f03d59ab0b6ef1a3699fa71f0741a4f54f0c6663 Mon Sep 17 00:00:00 2001 From: mrpackethead Date: Sun, 3 Sep 2023 23:50:10 +0000 Subject: [PATCH 01/85] added indexes --- src/index.ts | 1 + src/packs/nzism-v36-1022-20.ts | 881 ++++++++++++++++++ .../CloudFrontDefaultRootObjectConfigured.ts | 31 + src/rules/cloudfront/index.ts | 1 + src/rules/ec2/EC2SecurityGroupOnlyTcp443.ts | 100 ++ src/rules/ec2/index.ts | 1 + 6 files changed, 1015 insertions(+) create mode 100644 src/packs/nzism-v36-1022-20.ts create mode 100644 src/rules/cloudfront/CloudFrontDefaultRootObjectConfigured.ts create mode 100644 src/rules/ec2/EC2SecurityGroupOnlyTcp443.ts diff --git a/src/index.ts b/src/index.ts index 576f321031..93a59b5ddb 100644 --- a/src/index.ts +++ b/src/index.ts @@ -13,4 +13,5 @@ export * from './packs/hipaa-security'; export * from './packs/nist-800-53-r4'; export * from './packs/nist-800-53-r5'; export * from './packs/pci-dss-321'; +export * from './packs/nzism-v36-1022-20'; export * as rules from './rules'; diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts new file mode 100644 index 0000000000..a4601743ac --- /dev/null +++ b/src/packs/nzism-v36-1022-20.ts @@ -0,0 +1,881 @@ +/* +Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +SPDX-License-Identifier: Apache-2.0 +*/ +import { CfnResource } from 'aws-cdk-lib'; +import { IConstruct } from 'constructs'; +import { NagMessageLevel, NagPack, NagPackProps } from '../nag-pack'; +import { APIGWExecutionLoggingEnabled } from '../rules/apigw'; +import { + CloudFrontDistributionAccessLogging, + CloudFrontDistributionHttpsViewerNoOutdatedSSL, + CloudFrontDistributionWAFIntegration, + CloudFrontDefaultRootObjectConfigured, +} from '../rules/cloudfront'; +import { + CloudTrailCloudWatchLogsEnabled, + CloudTrailEncryptionEnabled, + CloudTrailLogFileValidationEnabled, +} from '../rules/cloudtrail'; +import { + CloudWatchLogGroupEncrypted, + CloudWatchLogGroupRetentionPeriod, +} from '../rules/cloudwatch'; +import { DMSReplicationNotPublic } from '../rules/dms'; +import { + DynamoDBAutoScalingEnabled, + DynamoDBInBackupPlan, + DynamoDBPITREnabled, +} from '../rules/dynamodb'; +import { + EC2EBSInBackupPlan, + EC2InstanceNoPublicIp, + EC2InstancesInVPC, + EC2RestrictedSSH, + EC2EBSVolumeEncrypted, + EC2SecurityGroupOnlyTcp443, + EC2IMDSv2Enabled, +} from '../rules/ec2'; +import { ECSTaskDefinitionUserForHostMode } from '../rules/ecs'; +import { EFSEncrypted, EFSInBackupPlan } from '../rules/efs'; +import { ElastiCacheRedisClusterAutomaticBackup } from '../rules/elasticache'; +import { ElasticBeanstalkManagedUpdatesEnabled } from '../rules/elasticbeanstalk'; +import { + ALBHttpToHttpsRedirection, + ALBWAFEnabled, + ELBCrossZoneLoadBalancingEnabled, + ELBLoggingEnabled, + ELBTlsHttpsListenersOnly, +} from '../rules/elb'; +import { IAMPolicyNoStatementsWithAdminAccess } from '../rules/iam'; +import { KMSBackingKeyRotationEnabled } from '../rules/kms'; +import { LambdaFunctionPublicAccessProhibited } from '../rules/lambda'; +import { + OpenSearchEncryptedAtRest, + OpenSearchInVPCOnly, + OpenSearchNodeToNodeEncryption, +} from '../rules/opensearch'; +import { + RDSAutomaticMinorVersionUpgradeEnabled, + RDSInBackupPlan, + RDSInstanceDeletionProtectionEnabled, + RDSInstancePublicAccess, + RDSLoggingEnabled, + RDSMultiAZSupport, + RDSStorageEncrypted, +} from '../rules/rds'; +import { + RedshiftRequireTlsSSL, + RedshiftBackupEnabled, + RedshiftClusterConfiguration, + RedshiftClusterMaintenanceSettings, + RedshiftClusterPublicAccess, +} from '../rules/redshift'; +import { + S3BucketLevelPublicAccessProhibited, + S3BucketLoggingEnabled, + S3BucketPublicReadProhibited, + S3BucketPublicWriteProhibited, + S3BucketServerSideEncryptionEnabled, + S3BucketSSLRequestsOnly, + S3BucketVersioningEnabled, + S3DefaultEncryptionKMS, +} from '../rules/s3'; +import { + SageMakerEndpointConfigurationKMSKeyConfigured, + SageMakerNotebookInstanceKMSKeyConfigured, + SageMakerNotebookNoDirectInternetAccess, +} from '../rules/sagemaker'; +import { SecretsManagerUsingKMSKey } from '../rules/secretsmanager'; +import { SNSEncryptedKMS } from '../rules/sns'; +import { + VPCFlowLogsEnabled, + VPCDefaultSecurityGroupClosed, +} from '../rules/vpc'; +import { WAFv2LoggingEnabled } from '../rules/waf'; + +/** + * Check for NZISM v36-1022-20 compliance. + * Based on the NZISM v36-1022-20: + * */ + +export class NZISM36Checks extends NagPack { + constructor(props?: NagPackProps) { + super(props); + this.packName = 'NZISM3.6'; + } + public visit(node: IConstruct): void { + if (node instanceof CfnResource) { + this.checkELB(node); + this.checkAPIGW(node); + this.checkCloudTrail(node); + this.checkCloudFront(node); + this.checkKMS(node); + this.checkCloudWatch(node); + this.checkRDS(node); + this.checkECS(node); + this.checkEFS(node); + this.checkDMS(node); + this.checkDynamoDB(node); + this.checkEC2(node); + this.checkElasticBeanstalk(node); + this.checkElastiCache(node); + this.checkLambda(node); + this.checkOpenSearch(node); + this.checkIAM(node); + this.checkRedshift(node); + this.checkS3(node); + this.checkSageMaker(node); + this.checkSecretsManager(node); + this.checkSNS(node); + this.checkVPC(node); + this.checkWAF(node); + } + } + + /** + * Check API Gateway Resources + * E + * @param node the CfnResource to check + * @param ignores list of ignores for the resource + */ + private checkAPIGW(node: CfnResource): void { + this.applyRule({ + info: 'The API Gateway stage does not have execution logging enabled for all methods. | SHOULD 16.6.10.C.02[CID:2013], MUST 23.5.11.C.01[CID:7496] ', + explanation: + 'API Gateway logging displays detailed views of users who accessed the API and the way they accessed the API. This insight enables visibility of user activities.', + level: NagMessageLevel.ERROR, + rule: APIGWExecutionLoggingEnabled, + node: node, + }); + } + + /** + * Check CloudFront Resources + * @param node + * @param ignores + */ + private checkCloudFront(node: CfnResource): void { + this.applyRule({ + info: 'The CloudFront distribution does not have access logging enabled. | SHOULD 16.6.10.C.02[CID:2013], MUST 23.5.11.C.01[CID:7496]', + explanation: + 'Enabling access logs helps operators track all viewer requests for the content delivered through the Content Delivery Network.', + level: NagMessageLevel.ERROR, + rule: CloudFrontDistributionAccessLogging, + node: node, + }); + this.applyRule({ + info: 'The CloudFront distribution requires integration with WAF | MUST 19.1.12.C.01[CID:3562]', + explanation: + 'The Web Application Firewall can help protect against application-layer attacks that can compromise the security of the system or place unnecessary load on them.', + level: NagMessageLevel.ERROR, + rule: CloudFrontDistributionWAFIntegration, + node: node, + }); + + this.applyRule({ + info: 'The CloudFront distribution allows for SSLv3 or TLSv1 for HTTPS viewer connections | MUST 16.1.37.C.01[CID:1847]', + explanation: + 'Vulnerabilities have been and continue to be discovered in the deprecated SSL and TLS protocols. Help protect viewer connections by specifying a viewer certificate that enforces a minimum of TLSv1.1 or TLSv1.2 in the security policy. Distributions that use the default CloudFront viewer certificate or use vip for the SslSupportMethod are non-compliant with this rule, as the minimum security policy is set to TLSv1 regardless of the specified MinimumProtocolVersion', + level: NagMessageLevel.ERROR, + rule: CloudFrontDistributionHttpsViewerNoOutdatedSSL, + node: node, + }); + + // this rule is a new addition + this.applyRule({ + info: 'The Cloudfront distribution requires a default object | SHOULD 14.5.6.C.01[CID:1661]', + explanation: + 'Specifying a default root object lets you avoid exposing the contents of your distribution', + level: NagMessageLevel.WARN, + rule: CloudFrontDefaultRootObjectConfigured, + node: node, + }); + } + + /** + * Check CloudTrail Resources + * @param node the CfnResource to check + * @param ignores list of ignores for the resource + */ + private checkCloudTrail(node: CfnResource): void { + this.applyRule({ + info: 'The trail does not have CloudWatch logs enabled | SHOULD 16.6.6.C.02[CID:1998], MUST 16.4.35.C.02[CID:6860])', + explanation: + 'Use Amazon CloudWatch to centrally collect and manage log event activity. Inclusion of AWS CloudTrail data provides details of API call activity within your AWS account.', + level: NagMessageLevel.ERROR, + rule: CloudTrailCloudWatchLogsEnabled, + node: node, + }); + + this.applyRule({ + info: 'The trail does not have encryption enabled | SHOULD 17.1.46.C.04[CID:2082]', + explanation: + 'Because sensitive data may exist and to help protect data at rest, ensure encryption is enabled for your AWS CloudTrail trails.', + level: NagMessageLevel.WARN, + rule: CloudTrailEncryptionEnabled, + node: node, + }); + + this.applyRule({ + info: 'The trail does not have encryption enabled - MUST 16.6.12.C.01[CID:2022], MUST 23.5.11.C.01[CID:7496]', + explanation: + 'Utilize AWS CloudTrail log file validation to check the integrity of CloudTrail logs. Log file validation helps determine if a log file was modified or deleted or unchanged after CloudTrail delivered it. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection.', + level: NagMessageLevel.ERROR, + rule: CloudTrailLogFileValidationEnabled, + node: node, + }); + } + + /** + * Check CloudWatch Resources + * @param node the CfnResource to check + * @param ignores list of ignores for the resource + */ + + private checkCloudWatch(node: CfnResource): void { + this.applyRule({ + info: 'The CloudWatch Log Group does not have an explicit retention period configured - SHOULD 16.6.6.C.02[CID:1998], MUST 16.6.13.C.01[CID:2028]', + explanation: + 'Ensure a minimum duration of event log data is retained for your log groups to help with troubleshooting and forensics investigations. The lack of available past event log data makes it difficult to reconstruct and identify potentially malicious events.', + level: NagMessageLevel.ERROR, + rule: CloudWatchLogGroupRetentionPeriod, + node: node, + }); + + this.applyRule({ + info: 'The CloudWatch Log Group is not encrypted with an AWS KMS key | MUST 16.6.12.C.01[CID:2022], MUST 23.5.11.C.01[CID:7496]', + explanation: + 'To help protect sensitive data at rest, ensure encryption is enabled for your Amazon CloudWatch Log Groups.', + level: NagMessageLevel.ERROR, + rule: CloudWatchLogGroupEncrypted, + node: node, + }); + } + + /** + * Check DMS Resources + * @param node the CfnResource to check + * @param ignores list of ignores for the resource + */ + private checkDMS(node: CfnResource) { + this.applyRule({ + info: 'The DMS replication instance is public | MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466]', + explanation: + 'DMS replication instances can contain sensitive information and access control is required for such accounts.', + level: NagMessageLevel.ERROR, + rule: DMSReplicationNotPublic, + node: node, + }); + } + + /** + * Check DynamoDB Resources + * @param node the CfnResource to check + * @param ignores list of ignores for the resource + */ + private checkDynamoDB(node: CfnResource) { + this.applyRule({ + info: 'The provisioned capacity DynamoDB table does not have Auto Scaling enabled on its indexes | MUST 22.1.23.C.01[CID:4829]', + explanation: + 'Amazon DynamoDB auto scaling uses the AWS Application Auto Scaling service to adjust provisioned throughput capacity that automatically responds to actual traffic patterns. This enables a table or a global secondary index to increase its provisioned read/write capacity to handle sudden increases in traffic, without throttling.', + level: NagMessageLevel.ERROR, // TODO: This appears to be an unusal requirement. If t + rule: DynamoDBAutoScalingEnabled, + node: node, + }); + this.applyRule({ + info: 'The DynamoDB table is not in an AWS Backup plan - MUST 22.1.26.C.01[CID:4849]', + explanation: + 'To help with data back-up processes, ensure your Amazon DynamoDB tables are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements.', + level: NagMessageLevel.ERROR, + rule: DynamoDBInBackupPlan, + node: node, + }); + this.applyRule({ + info: 'The DynamoDB table does not have Point-in-time Recovery enabled | MUST 22.1.26.C.01[CID:4849]', + explanation: + 'The recovery maintains continuous backups of your table for the last 35 days.', + level: NagMessageLevel.ERROR, + rule: DynamoDBPITREnabled, + node: node, + }); + } + + /** + * Check EC2 Resources + * @param node the CfnResource to check + * @param ignores list of ignores for the resource + */ + private checkEC2(node: CfnResource): void { + this.applyRule({ + info: 'The EBS volume is not in an AWS Backup plan | MUST 22.1.26.C.01[CID:4849]', + explanation: + 'To help with data back-up processes, ensure your Amazon Elastic Block Store (Amazon EBS) volumes are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements.', + level: NagMessageLevel.ERROR, + rule: EC2EBSInBackupPlan, + node: node, + }); + + this.applyRule({ + info: 'The EC2 instance is associated with a public IP address | MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466]', + explanation: + 'Manage access to the AWS Cloud by ensuring Amazon Elastic Compute Cloud (Amazon EC2) instances cannot be publicly accessed. Amazon EC2 instances can contain sensitive information and access control is required for such accounts.', + level: NagMessageLevel.ERROR, + rule: EC2InstanceNoPublicIp, + node: node, + }); + + this.applyRule({ + info: 'The EC2 instance is not within a VPC - MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466]', + explanation: + 'Deploy Amazon Elastic Compute Cloud (Amazon EC2) instances within an Amazon Virtual Private Cloud (Amazon VPC) to enable secure communication between an instance and other services within the amazon VPC, without requiring an internet gateway, NAT device, or VPN connection. All traffic remains securely within the AWS Cloud. Because of their logical isolation, domains that reside within anAmazon VPC have an extra layer of security when compared to domains that use public endpoints. Assign Amazon EC2 instances to an Amazon VPC to properly manage access.', + level: NagMessageLevel.ERROR, + rule: EC2InstancesInVPC, + node: node, + }); + + this.applyRule({ + info: 'The EBS volume has encryption disabled- SHOULD 17.1.46.C.04[CID:2082], SHOULD 22.1.24.C.04[CID:4839]', + explanation: + 'With EBS encryption, you aren not required to build, maintain, and secure your own key management infrastructure. EBS encryption uses KMS keys when creating encrypted volumes and snapshots. This helps protect data at rest.', + level: NagMessageLevel.WARN, + rule: EC2EBSVolumeEncrypted, + node: node, + }); + + this.applyRule({ + info: 'The Security Group allows unrestricted SSH access - SHOULD 17.5.8.C.02[CID:2726]', + explanation: + 'Not allowing ingress (or remote) traffic from 0.0.0.0/0 or ::/0 to port 22 on your resources helps to restrict remote access.', + level: NagMessageLevel.ERROR, + rule: EC2RestrictedSSH, + node: node, + }); + + // this is new rule + this.applyRule({ + info: 'The Security Group allows access other than tcp 443 - SHOULD 18.1.13.C.02[CID:3205]', + explanation: + 'Not allowing ingress (or remote) traffic to ports other than tcp port 443 helps improve security', + level: NagMessageLevel.WARN, + rule: EC2SecurityGroupOnlyTcp443, + node: node, + }); + + // this can be modified to use EC2IMDVs enabled. + this.applyRule({ + info: 'THe Ec2 Instance does not use IMDSv2 | MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466]', + explanation: + 'IMDSv2 adds additional protection by using session authentication to the Instance Meta Data Service', + level: NagMessageLevel.ERROR, + rule: EC2IMDSv2Enabled, + node: node, + }); + } + + /** + * Check ECS Resources + * @param node the CfnResource to check + * @param ignores list of ignores for the resource + */ + private checkECS(node: CfnResource): void { + this.applyRule({ + info: 'The ECS task definition is configured for host networking and has at least one container with definitions with privileged set to false or empty or user set to root or empty | SHOULD 14.1.8.C.01[CID:1149]', + explanation: + 'If a task definition has elevated privileges it is because you have specifically opted-in to those configurations. This rule checks for unexpected privilege escalation when a task definition has host networking enabled but the customer has not opted-in to elevated privileges.', + level: NagMessageLevel.WARN, + rule: ECSTaskDefinitionUserForHostMode, + node: node, + }); + } + + /** + * Check EFS Resources + * @param node the CfnResource to check + * @param ignores list of ignores for the resource + */ + private checkEFS(node: CfnResource) { + this.applyRule({ + info: 'The EFS is not in an AWS Backup plan - MUST 22.1.26.C.01[CID:4849]', + explanation: + 'To help with data back-up processes, ensure your Amazon Elastic File System (Amazon EFS) file systems are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements.', + level: NagMessageLevel.ERROR, + rule: EFSInBackupPlan, + node: node, + }); + this.applyRule({ + info: 'The EFS does not have encryption at rest enabled = SHOULD 17.1.46.C.04[CID:2082], SHOULD 22.1.24.C.04[CID:4839]', + explanation: + 'Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elastic File System (EFS).', + level: NagMessageLevel.WARN, + rule: EFSEncrypted, + node: node, + }); + } + + /** + * Check ElastiCache Resources + * @param node the CfnResource to check + * @param ignores list of ignores for the resource + */ + private checkElastiCache(node: CfnResource) { + this.applyRule({ + info: 'The ElastiCache Redis cluster does not retain automatic backups for at least 15 day - MUST 22.1.26.C.01[CID:4849]', + explanation: + 'Automatic backups can help guard against data loss. If a failure occurs, you can create a new cluster, which restores your data from the most recent backup.', + level: NagMessageLevel.ERROR, + rule: ElastiCacheRedisClusterAutomaticBackup, + node: node, + }); + } + + /** + * Check Elastic Beanstalk Resources + * @param node the CfnResource to check + * @param ignores list of ignores for the resource + */ + private checkElasticBeanstalk(node: CfnResource): void { + this.applyRule({ + info: 'The Elastic Beanstalk environment does not have enhanced health reporting enabled | SHOULD 12.4.4.C.05[CID:3452]', + explanation: + 'Enabling managed platform updates for an Amazon Elastic Beanstalk environment ensures that the latest available platform fixes, updates, and features for the environment are installed. Keeping up to date with patch installation is a best practice in securing systems.', + level: NagMessageLevel.WARN, + rule: ElasticBeanstalkManagedUpdatesEnabled, + node: node, + }); + } + + /** + * Check Elastic Load Balancer Resources + * @param node the CfnResource to check + * @param ignores list of ignores for the resource + */ + + private checkELB(node: CfnResource): void { + this.applyRule({ + info: 'The ALBs HTTP listeners are not configured to redirect to HTTPS | MUST 16.1.37.C.01[CID:1847], MUST 17.1.48.C.03[CID:2091]', + explanation: + 'To help protect data in transit, ensure that your Application Load Balancer automatically redirects unencrypted HTTP requests to HTTPS. Because sensitive data can exist, enable encryption in transit to help protect that data.', + level: NagMessageLevel.ERROR, + rule: ALBHttpToHttpsRedirection, + node: node, + }); + + this.applyRule({ + info: 'The ALB is not associated with AWS WAFv2 web ACL | MUST 19.1.12.C.01[CID:3562], SHOULD 20.3.7.C.02[CID:4333], MUST 23.4.10.C.01[CID:7466]', + explanation: + 'A WAF helps to protect your web applications or APIs against common web exploits. These web exploits may affect availability, compromise security, or consume excessive resources within your environment.', + level: NagMessageLevel.ERROR, + rule: ALBWAFEnabled, + node: node, + }); + + this.applyRule({ + info: 'MUST 22.1.23.C.01[CID:4829]| Enterprise systems security/Cloud Computing/System Availability', + explanation: + "Enable cross-zone load balancing for your Classic Load Balancers (CLBs) to help maintain adequate capacity and availability. The cross-zone load balancing reduces the need to maintain equivalent numbers of instances in each enabled availability zone. It also improves your application's ability to handle the loss of one or more instances.", + level: NagMessageLevel.ERROR, + rule: ELBCrossZoneLoadBalancingEnabled, + node: node, + }); + + this.applyRule({ + info: 'The ELB does not have logging enabled | SHOULD 16.6.10.C.02[CID:2013], MUST 23.5.11.C.01[CID:7496]', + explanation: + "Elastic Load Balancing activity is a central point of communication within an environment. Ensure ELB logging is enabled. The collected data provides detailed information about requests sent to The ELB. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses.", + level: NagMessageLevel.ERROR, + rule: ELBLoggingEnabled, + node: node, + }); + this.applyRule({ + info: 'The CLB does not restrict its listeners to only the SSL and HTTPS protocol | SHOULD 14.5.8.C.01[CID:1667], MUST 16.1.37.C.01[CID:1847], MUST 17.1.48.C.03[CID:2091], SHOULD 22.1.24.C.04[CID:4839]', + explanation: + 'Ensure that your Classic Load Balancers (CLBs) are configured with SSL or HTTPS listeners. Because sensitive data can exist, enable encryption in transit to help protect that data.', + level: NagMessageLevel.ERROR, + rule: ELBTlsHttpsListenersOnly, + node: node, + }); + } + + /** + * Check IAM Resources + * @param node the CfnResource to check + * @param ignores list of ignores for the resource + */ + private checkIAM(node: CfnResource): void { + this.applyRule({ + info: 'The IAM policy grants admin access, meaning the policy allows a principal to perform all actions on all resources | SHOULD 16.3.5.C.02[CID:1946]', + explanation: + 'AWS Identity and Access Management (IAM) can help you incorporate the principles of least privilege and separation of duties with access permissions and authorizations, by ensuring that IAM groups have at least one IAM user. Placing IAM users in groups based on their associated permissions or job function is one way to incorporate least privilege.', + level: NagMessageLevel.WARN, + rule: IAMPolicyNoStatementsWithAdminAccess, + node: node, + }); + } + + /** + * Check KMS Resources + * @param node the CfnResource to check + * @param ignores list of ignores for the resource + */ + private checkKMS(node: CfnResource): void { + this.applyRule({ + info: 'The KMS Symmetric key does not have automatic key rotation enabled | SHOULD 17.9.25.C.01[CID:3021]', + explanation: + 'Enable key rotation to ensure that keys are rotated once they have reached the end of their crypto period.', + level: NagMessageLevel.WARN, + rule: KMSBackingKeyRotationEnabled, + node: node, + }); + } + + /** + * Check Lambda + * @param node + */ + + private checkLambda(node: CfnResource) { + this.applyRule({ + info: 'The Lambda function permission grants public access - MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466]', + explanation: + 'Public access allows anyone on the internet to perform unauthenticated actions on your function and can potentially lead to degraded availability.', + level: NagMessageLevel.ERROR, + rule: LambdaFunctionPublicAccessProhibited, + node: node, + }); + } + + /** + * Check OpenSearch Resources + * @param node the CfnResource to check + * @param ignores list of ignores for the resource + */ + private checkOpenSearch(node: CfnResource) { + this.applyRule({ + info: 'The OpenSearch Service domain does not have encryption at rest enabled | SHOULD 17.1.46.C.04[CID:2082], SHOULD 20.4.4.C.02[CID:4441], SHOULD 22.1.24.C.04[CID:4839]', + explanation: + 'Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon OpenSearch Service (OpenSearch Service) domains.', + level: NagMessageLevel.WARN, + rule: OpenSearchEncryptedAtRest, + node: node, + }); + + this.applyRule({ + info: 'The OpenSearch Service domain is not running within a VPC | MUST 19.1.12.C.01[CID:3562], SHOULD 19.1.14.C.02[CID:3623]', + explanation: + 'VPCs help secure your AWS resources and provide an extra layer of protection.', + level: NagMessageLevel.ERROR, + rule: OpenSearchInVPCOnly, + node: node, + }); + + this.applyRule({ + info: 'The OpenSearch Service domain does not have node-to-node encryption enabled | MUST 16.1.37.C.01[CID:1847], SHOULD 22.1.24.C.04[CID:4839]', + explanation: + 'Because sensitive data can exist, enable encryption in transit to help protect that data within your Amazon OpenSearch Service (OpenSearch Service) domains.', + level: NagMessageLevel.ERROR, + rule: OpenSearchNodeToNodeEncryption, + node: node, + }); + } + + /** + * Check RDS Resources + * @param node the CfnResource to check + * @param ignores list of ignores for the resource + */ + private checkRDS(node: CfnResource): void { + this.applyRule({ + info: 'The RDS DB Instance or Aurora Cluster does not have deletion protection enabled | MUST 22.1.26.C.01[CID:4849]', + explanation: + 'Ensure Amazon Relational Database Service (Amazon RDS) instances and clusters have deletion protection enabled. Use deletion protection to prevent your Amazon RDS DB instances and clusters from being accidentally or maliciously deleted, which can lead to loss of availability for your applications.', + level: NagMessageLevel.ERROR, + rule: RDSInstanceDeletionProtectionEnabled, + node: node, + }); + + this.applyRule({ + info: 'The RDS DB Instance does not have multi-AZ support | MUST 22.1.23.C.01[CID:4829]', + explanation: + 'Ensure Amazon Relational Database Service (Amazon RDS) instances and clusters have deletion protection enabled. Use deletion protection to prevent your Amazon RDS DB instances and clusters from being accidentally or maliciously deleted, which can lead to loss of availability for your applications.', + level: NagMessageLevel.ERROR, + rule: RDSMultiAZSupport, + node: node, + }); + + this.applyRule({ + info: 'The RDS DB instance is not in an AWS Backup plan | MUST 22.1.26.C.01[CID:4849]', + explanation: + 'To help with data back-up processes, ensure your Amazon Relational Database Service (Amazon RDS) instances are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements.', + level: NagMessageLevel.ERROR, + rule: RDSInBackupPlan, + node: node, + }); + + this.applyRule({ + info: 'The RDS DB Instance allows public access | MUST 19.1.12.C.01[CID:3562], SHOULD 19.1.14.C.02[CID:3623], MUST 23.4.10.C.01[CID:7466]', + explanation: + 'Amazon RDS database instances can contain sensitive information, and principles and access control is required for such accounts.', + level: NagMessageLevel.ERROR, + rule: RDSInstancePublicAccess, + node: node, + }); + + this.applyRule({ + info: 'The non-Aurora RDS DB instance or Aurora cluster does not have all CloudWatch log types exported | SHOULD 16.6.10.C.02[CID:2013], SHOULD 20.4.4.C.02[CID:4441], SHOULD 20.4.5.C.02[CID:4445], MUST 23.5.11.C.01[CID:7496]', + explanation: + 'To help with logging and monitoring within your environment, ensure Amazon Relational Database Service (Amazon RDS) logging is enabled. With Amazon RDS logging, you can capture events such as connections, disconnections, queries, or tables queried.' + + "This is a granular rule that returns individual findings that can be suppressed with 'appliesTo'. The findings are in the format 'LogExport::' for exported logs. Example: appliesTo: ['LogExport::audit'].", + level: NagMessageLevel.ERROR, + rule: RDSLoggingEnabled, + node: node, + }); + + this.applyRule({ + info: 'The RDS DB Instance or Aurora Cluster does not have storage encrypted | SHOULD 17.1.46.C.04[CID:2082], SHOULD 20.4.4.C.02[CID:4441], SHOULD 22.1.24.C.04[CID:4839]', + explanation: + 'Because sensitive data can exist at rest in Amazon RDS instances, enable encryption at rest to help protect that data.', + level: NagMessageLevel.WARN, + rule: RDSStorageEncrypted, + node: node, + }); + + this.applyRule({ + info: 'RDS DB Instance is not configured for minor patches | SHOULD 12.4.4.C.05[CID:3452]', + explanation: 'Provides automatic Patching in the Database', + level: NagMessageLevel.WARN, + rule: RDSAutomaticMinorVersionUpgradeEnabled, + node: node, + }); + } + + /** + * Check Redshift Resources + * @param node the CfnResource to check + * @param ignores list of ignores for the resource + */ + private checkRedshift(node: CfnResource): void { + this.applyRule({ + info: 'The Redshift cluster does not have automated snapshots enabled or the retention period is not between 1 and 35 days | MUST 22.1.26.C.01[CID:4849]', + explanation: + 'To help with data back-up processes, ensure your Amazon Redshift clusters have automated snapshots. When automated snapshots are enabled for a cluster, Redshift periodically takes snapshots of that cluster. By default, Redshift takes a snapshot every eight hours or every 5 GB per node of data changes, or whichever comes first.', + level: NagMessageLevel.ERROR, + rule: RedshiftBackupEnabled, + node: node, + }); + + this.applyRule({ + info: 'The Redshift cluster does not have encryption or audit logging enabled | SHOULD 20.4.4.C.02[CID:4441], SHOULD 20.4.5.C.02[CID:4445], SHOULD 22.1.24.C.04[CID:4839]', + explanation: + 'To protect data at rest, ensure that encryption is enabled for your Amazon Redshift clusters. You must also ensure that required configurations are deployed on Amazon Redshift clusters. The audit logging should be enabled to provide information about connections and user activities in the database.', + level: NagMessageLevel.ERROR, + rule: RedshiftClusterConfiguration, + node: node, + }); + + this.applyRule({ + info: 'The Redshift cluster does not have version upgrades enabled, automated snapshot retention periods enabled, and an explicit maintenance window configure MUST 12.4.4.C.02[CID:3449], SHOULD 12.4.4.C.06[CID:3453]', + explanation: + 'Ensure that Amazon Redshift clusters have the preferred settings for your organization. Specifically, that they have preferred maintenance windows and automated snapshot retention periods for the database. ', + level: NagMessageLevel.ERROR, + rule: RedshiftClusterMaintenanceSettings, + node: node, + }); + + this.applyRule({ + info: 'Redshift must not be made publically avaialble | MUST 19.1.12.C.01[CID:3562], SHOULD 19.1.14.C.02[CID:3623], MUST 23.4.10.C.01[CID:7466]', + explanation: + 'Amazon Redshift clusters can contain sensitive information and principles and access control is required for such accounts.', + level: NagMessageLevel.ERROR, + rule: RedshiftClusterPublicAccess, + node: node, + }); + + this.applyRule({ + info: 'The Redshift cluster must use TLS/SSL encryption. MUST 17.1.48.C.03[CID:2091], SHOULD 22.1.24.C.04[CID:4839]', + explanation: + 'Ensure that your Amazon Redshift clusters require TLS/SSL encryption to connect to SQL clients. Because sensitive data can exist, enable encryption in transit to help protect that data.', + level: NagMessageLevel.ERROR, + rule: RedshiftRequireTlsSSL, + node: node, + }); + } + + /** + * Check Amazon S3 Resources + * @param node the CfnResource to check + * @param ignores list of ignores for the resource + */ + private checkS3(node: CfnResource): void { + this.applyRule({ + info: 'The S3 bucket does not prohibit public access through bucket level settings SHOULD 22.1.24.C.03[CID:4838]', + explanation: + 'Keep sensitive data safe from unauthorized remote users by preventing public access at the bucket level.', + level: NagMessageLevel.WARN, + rule: S3BucketLevelPublicAccessProhibited, + node: node, + }); + // THIS IS NEW RULE. + this.applyRule({ + info: 'The S3 Bucket does not have default server-side encryption enabled | SHOULD 17.1.46.C.04[CID:2082]', + explanation: + 'Because sensitive data can exist at rest in Amazon S3 buckets, enable encryption to help protect that data.', + level: NagMessageLevel.WARN, + rule: S3BucketServerSideEncryptionEnabled, + node: node, + }); + this.applyRule({ + info: 'The S3 Bucket or bucket policy does not require requests to use SSL | SHOULD 22.1.24.C.04[CID:4839]|', + explanation: + 'To help protect data in transit, ensure that your Amazon Simple Storage Service (Amazon S3) buckets require requests to use Secure Socket Layer (SSL). Because sensitive data can exist, enable encryption in transit to help protect that data.', + level: NagMessageLevel.WARN, + rule: S3BucketSSLRequestsOnly, + node: node, + }); + this.applyRule({ + info: 'The S3 Buckets does not have server access logs enabled | MUST 22.1.26.C.01[CID:4849]', + explanation: + 'Amazon Simple Storage Service (Amazon S3) server access logging provides a method to monitor the network for potential cybersecurity events. The events are monitored by capturing detailed records for the requests that are made to an Amazon S3 bucket. Each access log record provides details about a single access request. The details include the requester, bucket name, request time, request action, response status, and an error code, if relevant.', + level: NagMessageLevel.ERROR, + rule: S3BucketLoggingEnabled, + node: node, + }); + + this.applyRule({ + info: 'The S3 Bucket does not prohibit public read access through its Block Public Access configurations and bucket ACLs | SHOULD 22.1.24.C.03[CID:4838]', + explanation: + 'The management of access should be consistent with the classification of the data.', + level: NagMessageLevel.WARN, + rule: S3BucketPublicReadProhibited, + node: node, + }); + this.applyRule({ + info: 'The S3 Bucket does not prohibit public write access through its Block Public Access configurations and bucket ACLs | SHOULD 22.1.24.C.03[CID:4838]', + explanation: + 'The management of access should be consistent with the classification of the data.', + level: NagMessageLevel.WARN, + rule: S3BucketPublicWriteProhibited, + node: node, + }); + this.applyRule({ + info: 'The S3 Bucket does not have versioning enabled | MUST 22.1.26.C.01[CID:4849]', + explanation: + 'Use versioning to preserve, retrieve, and restore every version of every object stored in your Amazon S3 bucket. Versioning helps you to easily recover from unintended user actions and application failures.', + level: NagMessageLevel.ERROR, + rule: S3BucketVersioningEnabled, + node: node, + }); + this.applyRule({ + info: 'The S3 Bucket is not encrypted with a KMS Key by default | SHOULD 17.1.46.C.04[CID:2082]| Cryptography/Cryptographic Fundamentals/Reducing storage and physical transfer requirements', + explanation: + 'Ensure that encryption is enabled for your Amazon Simple Storage Service (Amazon S3) buckets. Because sensitive data can exist at rest in an Amazon S3 bucket, enable encryption at rest to help protect that data.', + level: NagMessageLevel.WARN, + rule: S3DefaultEncryptionKMS, + node: node, + }); + } + + /** + * Check SageMaker Resources + * @param node the CfnResource to check + * @param ignores list of ignores for the resource + */ + private checkSageMaker(node: CfnResource) { + this.applyRule({ + info: 'The SageMaker resource endpoint is not encrypted with a KMS key | SHOULD 22.1.24.C.04[CID:4839]', + explanation: + 'Because sensitive data can exist at rest in SageMaker endpoint, enable encryption at rest to help protect that data.', + level: NagMessageLevel.WARN, + rule: SageMakerEndpointConfigurationKMSKeyConfigured, + node: node, + }); + this.applyRule({ + info: 'The SageMaker notebook is not encrypted with a KMS key | SHOULD 22.1.24.C.04[CID:4839]', + explanation: + 'Because sensitive data can exist at rest in SageMaker notebook, enable encryption at rest to help protect that data.', + level: NagMessageLevel.WARN, + rule: SageMakerNotebookInstanceKMSKeyConfigured, + node: node, + }); + this.applyRule({ + info: 'The SageMaker notebook does not disable direct internet access | MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466]', + explanation: + 'By preventing direct internet access, you can keep sensitive data from being accessed by unauthorized users.', + level: NagMessageLevel.ERROR, + rule: SageMakerNotebookNoDirectInternetAccess, + node: node, + }); + } + + /** + * Check Secrets Manager Resources + * @param node the CfnResource to check + * @param ignores list of ignores for the resource + */ + private checkSecretsManager(node: CfnResource): void { + this.applyRule({ + info: 'The secret is not encrypted with a KMS Customer managed key | SHOULD 22.1.24.C.04[CID:4839]', + explanation: + 'To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for AWS Secrets Manager secrets. Because sensitive data can exist at rest in Secrets Manager secrets, enable encryption at rest to help protect that data.', + level: NagMessageLevel.WARN, + rule: SecretsManagerUsingKMSKey, + node: node, + }); + } + + /** + * Check Amazon SNS Resources + * @param node the CfnResource to check + * @param ignores list of ignores for the resource + */ + private checkSNS(node: CfnResource): void { + this.applyRule({ + info: 'The SNS topic does not have KMS encryption enabled | SHOULD 22.1.24.C.04[CID:4839]', + explanation: + 'To help protect data at rest, ensure that your Amazon Simple Notification Service (Amazon SNS) topics require encryption using AWS Key Management Service (AWS KMS) Because sensitive data can exist at rest in published messages, enable encryption at rest to help protect that data.', + level: NagMessageLevel.WARN, + rule: SNSEncryptedKMS, + node: node, + }); + } + + /** + * Check VPC Resources + * @param node the CfnResource to check + * @param ignores list of ignores for the resource + */ + private checkVPC(node: CfnResource): void { + this.applyRule({ + info: 'The VPCs default security group allows inbound or outbound traffic MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466]', + explanation: + 'Amazon Elastic Compute Cloud (Amazon EC2) security groups can help in the management of network access by providing stateful filtering of ingress and egress network traffic to AWS resources. Restricting all the traffic on the default security group helps in restricting remote access to your AWS resources.', + level: NagMessageLevel.ERROR, + rule: VPCDefaultSecurityGroupClosed, + node: node, + }); + this.applyRule({ + info: 'The VPC does not have an associated Flow Log | MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466]', + explanation: + 'The VPC flow logs provide detailed records for information about the IP traffic going to and from network interfaces in your Amazon Virtual Private Cloud (Amazon VPC). By default, the flow log record includes values for the different components of the IP flow, including the source, destination, and protocol.', + level: NagMessageLevel.ERROR, + rule: VPCFlowLogsEnabled, + node: node, + }); + } + + /** + * Check WAF Resources + * @param node the CfnResource to check + * @param ignores list of ignores for the resource + */ + private checkWAF(node: CfnResource): void { + this.applyRule({ + info: 'The WAFv2 web ACL does not have logging enabled | SHOULD 16.6.10.C.02[CID:2013], MUST 23.5.11.C.01[CID:7496]', + explanation: + 'AWS WAF logging provides detailed information about the traffic that is analyzed by your web ACL. The logs record the time that AWS WAF received the request from your AWS resource, information about the request, and an action for the rule that each request matched.', + level: NagMessageLevel.ERROR, + rule: WAFv2LoggingEnabled, + node: node, + }); + } +} diff --git a/src/rules/cloudfront/CloudFrontDefaultRootObjectConfigured.ts b/src/rules/cloudfront/CloudFrontDefaultRootObjectConfigured.ts new file mode 100644 index 0000000000..0342bd8f42 --- /dev/null +++ b/src/rules/cloudfront/CloudFrontDefaultRootObjectConfigured.ts @@ -0,0 +1,31 @@ +/* +Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +SPDX-License-Identifier: Apache-2.0 +*/ +import { parse } from 'path'; +import { CfnResource, Stack } from 'aws-cdk-lib'; +import { CfnDistribution } from 'aws-cdk-lib/aws-cloudfront'; +import { NagRuleCompliance } from '../../nag-rules'; + +/** + * CloudFront distributions should have a default Root Object + * @param node the CfnResource to check + */ +export default Object.defineProperty( + (node: CfnResource): NagRuleCompliance => { + if (node instanceof CfnDistribution) { + const distributionConfig = Stack.of(node).resolve( + node.distributionConfig + ); + + if (distributionConfig.defaultRootObject == undefined) { + return NagRuleCompliance.NON_COMPLIANT; + } + return NagRuleCompliance.COMPLIANT; + } else { + return NagRuleCompliance.NOT_APPLICABLE; + } + }, + 'name', + { value: parse(__filename).name } +); diff --git a/src/rules/cloudfront/index.ts b/src/rules/cloudfront/index.ts index d67d528893..9a58f93ecb 100644 --- a/src/rules/cloudfront/index.ts +++ b/src/rules/cloudfront/index.ts @@ -8,3 +8,4 @@ export { default as CloudFrontDistributionHttpsViewerNoOutdatedSSL } from './Clo export { default as CloudFrontDistributionNoOutdatedSSL } from './CloudFrontDistributionNoOutdatedSSL'; export { default as CloudFrontDistributionS3OriginAccessIdentity } from './CloudFrontDistributionS3OriginAccessIdentity'; export { default as CloudFrontDistributionWAFIntegration } from './CloudFrontDistributionWAFIntegration'; +export { default as CloudFrontDefaultRootObjectConfigured } from './CloudFrontDefaultRootObjectConfigured' diff --git a/src/rules/ec2/EC2SecurityGroupOnlyTcp443.ts b/src/rules/ec2/EC2SecurityGroupOnlyTcp443.ts new file mode 100644 index 0000000000..4977c3f1fa --- /dev/null +++ b/src/rules/ec2/EC2SecurityGroupOnlyTcp443.ts @@ -0,0 +1,100 @@ +/* +Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +SPDX-License-Identifier: Apache-2.0 +*/ +import { parse } from 'path'; +import { CfnResource, Stack } from 'aws-cdk-lib'; +import { CfnSecurityGroupIngress, CfnSecurityGroup } from 'aws-cdk-lib/aws-ec2'; +import { NagRuleCompliance, NagRules } from '../../nag-rules'; + +/** + * Security Groups should only allow inbound access to tcp443 + * @param node the CfnResource to check + */ +export default Object.defineProperty( + (node: CfnResource): NagRuleCompliance => { + if (node instanceof CfnSecurityGroup) { + const ingressRules = Stack.of(node).resolve(node.securityGroupIngress); + + if (ingressRules != undefined) { + //For each ingress rule, check that only TCP 443 is allowed from 0/0 + for (const rule of ingressRules) { + const resolvedcidrIp = NagRules.resolveIfPrimitive( + node, + Stack.of(node).resolve(rule).cidrIp + ); + const resolvedcidrIpv6 = NagRules.resolveIfPrimitive( + node, + Stack.of(node).resolve(rule).cidrIpv6 + ); + + // if ipv4 + if (resolvedcidrIp) { + // if the rule is not open to the world, it is compliant + if (!resolvedcidrIp.includes('/0')) { + return NagRuleCompliance.COMPLIANT; + } + } + // if ipv6 + if (resolvedcidrIpv6) { + // if the rule is not open to the world, it is compliant + if (!resolvedcidrIpv6.includes('/0')) { + return NagRuleCompliance.COMPLIANT; + } + } + + const ipProtocol = NagRules.resolveIfPrimitive( + node, + Stack.of(node).resolve(rule).ipProtocol + ); + const toPort = NagRules.resolveIfPrimitive( + node, + Stack.of(node).resolve(rule).toPort + ); + + if (!toPort) { + return NagRuleCompliance.NON_COMPLIANT; + } + + if (!(toPort === 443 && ipProtocol === 'tcp')) { + return NagRuleCompliance.NON_COMPLIANT; + } + } + } + + return NagRuleCompliance.COMPLIANT; + } else if (node instanceof CfnSecurityGroupIngress) { + const ipProtocol = NagRules.resolveIfPrimitive(node, node.ipProtocol); + const toPort = NagRules.resolveIfPrimitive(node, node.toPort); + const resolvedcidrIp = NagRules.resolveIfPrimitive(node, node.cidrIp); + const resolvedcidrIpv6 = NagRules.resolveIfPrimitive(node, node.cidrIpv6); + + // if ipv4 + if (resolvedcidrIp) { + if (resolvedcidrIp === '0.0.0.0/0') { + if (toPort === 443 && ipProtocol === 'tcp') { + return NagRuleCompliance.COMPLIANT; + } + return NagRuleCompliance.NON_COMPLIANT; + } + return NagRuleCompliance.COMPLIANT; + } + + // if ipv6 + if (resolvedcidrIpv6) { + if (resolvedcidrIpv6 === '::/0') { + if (toPort === 443 && ipProtocol === 'tcp') { + return NagRuleCompliance.COMPLIANT; + } + return NagRuleCompliance.NON_COMPLIANT; + } + return NagRuleCompliance.COMPLIANT; + } + } + + return NagRuleCompliance.NOT_APPLICABLE; + }, + + 'name', + { value: parse(__filename).name } +); diff --git a/src/rules/ec2/index.ts b/src/rules/ec2/index.ts index 277220b67a..6825df1a37 100644 --- a/src/rules/ec2/index.ts +++ b/src/rules/ec2/index.ts @@ -15,3 +15,4 @@ export { default as EC2RestrictedCommonPorts } from './EC2RestrictedCommonPorts' export { default as EC2RestrictedInbound } from './EC2RestrictedInbound'; export { default as EC2RestrictedSSH } from './EC2RestrictedSSH'; export { default as EC2SecurityGroupDescription } from './EC2SecurityGroupDescription'; +export { default as EC2SecurityGroupOnlyTcp443 } from './EC2SecurityGroupOnlyTcp443'; From c0ed6ef8be6a02420a92cba5e1951adf69efe7f5 Mon Sep 17 00:00:00 2001 From: mrpackethead Date: Mon, 4 Sep 2023 00:35:21 +0000 Subject: [PATCH 02/85] added s3 serverSideEncryption --- API.md | 48 ++++++++++++++++- src/packs/nzism-v36-1022-20.ts | 3 +- src/rules/cloudfront/index.ts | 2 +- .../s3/S3BucketServerSideEncryptionEnabled.ts | 52 +++++++++++++++++++ src/rules/s3/index.ts | 1 + 5 files changed, 103 insertions(+), 3 deletions(-) create mode 100644 src/rules/s3/S3BucketServerSideEncryptionEnabled.ts diff --git a/API.md b/API.md index 40ee7d31c9..fd288c6f2d 100644 --- a/API.md +++ b/API.md @@ -9,6 +9,7 @@ Name|Description [HIPAASecurityChecks](#cdk-nag-hipaasecuritychecks)|Check for HIPAA Security compliance. [NIST80053R4Checks](#cdk-nag-nist80053r4checks)|Check for NIST 800-53 rev 4 compliance. [NIST80053R5Checks](#cdk-nag-nist80053r5checks)|Check for NIST 800-53 rev 5 compliance. +[NZISM36Checks](#cdk-nag-nzism36checks)|Check for NZISM v36-1022-20 compliance. [NagPack](#cdk-nag-nagpack)|Base class for all rule packs. [NagReportLogger](#cdk-nag-nagreportlogger)|A NagLogger that creates compliance reports. [NagRules](#cdk-nag-nagrules)|Helper class with methods for rule creation. @@ -412,12 +413,57 @@ visit(node: IConstruct): void +## class NZISM36Checks + +Check for NZISM v36-1022-20 compliance. + +Based on the NZISM v36-1022-20: + +__Implements__: [IAspect](#aws-cdk-lib-iaspect) +__Extends__: [NagPack](#cdk-nag-nagpack) + +### Initializer + + + + +```ts +new NZISM36Checks(props?: NagPackProps) +``` + +* **props** ([NagPackProps](#cdk-nag-nagpackprops)) *No description* + * **additionalLoggers** (Array<[INagLogger](#cdk-nag-inaglogger)>) Additional NagLoggers for logging rule validation outputs. __*Optional*__ + * **logIgnores** (boolean) Whether or not to log suppressed rule violations as informational messages (default: false). __*Optional*__ + * **reportFormats** (Array<[NagReportFormat](#cdk-nag-nagreportformat)>) If reports are enabled, the output formats of compliance reports in the App's output directory (default: only CSV). __*Optional*__ + * **reports** (boolean) Whether or not to generate compliance reports for applied Stacks in the App's output directory (default: true). __*Optional*__ + * **suppressionIgnoreCondition** ([INagSuppressionIgnore](#cdk-nag-inagsuppressionignore)) Conditionally prevent rules from being suppressed (default: no user provided condition). __*Optional*__ + * **verbose** (boolean) Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false). __*Optional*__ + + +### Methods + + +#### visit(node) + +All aspects can visit an IConstruct. + +```ts +visit(node: IConstruct): void +``` + +* **node** ([IConstruct](#constructs-iconstruct)) *No description* + + + + + + ## class NagPack Base class for all rule packs. __Implements__: [IAspect](#aws-cdk-lib-iaspect) -__Implemented by__: [AwsSolutionsChecks](#cdk-nag-awssolutionschecks), [HIPAASecurityChecks](#cdk-nag-hipaasecuritychecks), [NIST80053R4Checks](#cdk-nag-nist80053r4checks), [NIST80053R5Checks](#cdk-nag-nist80053r5checks), [PCIDSS321Checks](#cdk-nag-pcidss321checks) +__Implemented by__: [AwsSolutionsChecks](#cdk-nag-awssolutionschecks), [HIPAASecurityChecks](#cdk-nag-hipaasecuritychecks), [NIST80053R4Checks](#cdk-nag-nist80053r4checks), [NIST80053R5Checks](#cdk-nag-nist80053r5checks), [NZISM36Checks](#cdk-nag-nzism36checks), [PCIDSS321Checks](#cdk-nag-pcidss321checks) ### Initializer diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index a4601743ac..f42255021f 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -4,7 +4,8 @@ SPDX-License-Identifier: Apache-2.0 */ import { CfnResource } from 'aws-cdk-lib'; import { IConstruct } from 'constructs'; -import { NagMessageLevel, NagPack, NagPackProps } from '../nag-pack'; +import { NagPack, NagPackProps } from '../nag-pack'; +import { NagMessageLevel } from '../nag-rules'; import { APIGWExecutionLoggingEnabled } from '../rules/apigw'; import { CloudFrontDistributionAccessLogging, diff --git a/src/rules/cloudfront/index.ts b/src/rules/cloudfront/index.ts index 9a58f93ecb..0734107174 100644 --- a/src/rules/cloudfront/index.ts +++ b/src/rules/cloudfront/index.ts @@ -8,4 +8,4 @@ export { default as CloudFrontDistributionHttpsViewerNoOutdatedSSL } from './Clo export { default as CloudFrontDistributionNoOutdatedSSL } from './CloudFrontDistributionNoOutdatedSSL'; export { default as CloudFrontDistributionS3OriginAccessIdentity } from './CloudFrontDistributionS3OriginAccessIdentity'; export { default as CloudFrontDistributionWAFIntegration } from './CloudFrontDistributionWAFIntegration'; -export { default as CloudFrontDefaultRootObjectConfigured } from './CloudFrontDefaultRootObjectConfigured' +export { default as CloudFrontDefaultRootObjectConfigured } from './CloudFrontDefaultRootObjectConfigured'; diff --git a/src/rules/s3/S3BucketServerSideEncryptionEnabled.ts b/src/rules/s3/S3BucketServerSideEncryptionEnabled.ts new file mode 100644 index 0000000000..4a4b83d239 --- /dev/null +++ b/src/rules/s3/S3BucketServerSideEncryptionEnabled.ts @@ -0,0 +1,52 @@ +/* +Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +SPDX-License-Identifier: Apache-2.0 +*/ +import { parse } from 'path'; +import { CfnResource, Stack } from 'aws-cdk-lib'; +import { CfnBucket } from 'aws-cdk-lib/aws-s3'; +import { NagRuleCompliance, NagRules } from '../../nag-rules'; + +/** + * S3 Buckets have default server-side encryption enabled + * @param node the CfnResource to check + */ +export default Object.defineProperty( + (node: CfnResource): NagRuleCompliance => { + if (node instanceof CfnBucket) { + if (node.bucketEncryption == undefined) { + return NagRuleCompliance.NON_COMPLIANT; + } + const encryption = Stack.of(node).resolve(node.bucketEncryption); + if (encryption.serverSideEncryptionConfiguration == undefined) { + return NagRuleCompliance.NON_COMPLIANT; + } + const sse = Stack.of(node).resolve( + encryption.serverSideEncryptionConfiguration + ); + for (const rule of sse) { + const defaultEncryption = Stack.of(node).resolve( + rule.serverSideEncryptionByDefault + ); + if (defaultEncryption == undefined) { + return NagRuleCompliance.NON_COMPLIANT; + } + const sseAlgorithm = NagRules.resolveIfPrimitive( + node, + defaultEncryption.sseAlgorithm + ); + if ( + sseAlgorithm.toLowerCase() != 'aes256' && + sseAlgorithm.toLowerCase() != 'aws:kms' + ) { + return NagRuleCompliance.NON_COMPLIANT; + } + } + return NagRuleCompliance.COMPLIANT; + } else { + return NagRuleCompliance.NOT_APPLICABLE; + } + }, + 'name', + { value: parse(__filename).name } +); diff --git a/src/rules/s3/index.ts b/src/rules/s3/index.ts index 58684cad35..6aa8c155e0 100644 --- a/src/rules/s3/index.ts +++ b/src/rules/s3/index.ts @@ -12,3 +12,4 @@ export { default as S3BucketSSLRequestsOnly } from './S3BucketSSLRequestsOnly'; export { default as S3BucketVersioningEnabled } from './S3BucketVersioningEnabled'; export { default as S3DefaultEncryptionKMS } from './S3DefaultEncryptionKMS'; export { default as S3WebBucketOAIAccess } from './S3WebBucketOAIAccess'; +export { default as S3BucketServerSideEncryptionEnabled } from './S3BucketServerSideEncryptionEnabled'; From 32772184ffc0ece7c26874d3c545a975423ac548 Mon Sep 17 00:00:00 2001 From: mrpackethead Date: Mon, 4 Sep 2023 03:21:46 +0000 Subject: [PATCH 03/85] added ruleSuffixOverides --- src/packs/nzism-v36-1022-20.ts | 73 +++++++++++++-- test/Packs.test.ts | 101 +++++++++++++++++++++ test/rules/CloudFront.test.ts | 27 ++++++ test/rules/EC2.test.ts | 157 +++++++++++++++++++++++++++++++++ test/rules/S3.test.ts | 16 ++++ 5 files changed, 369 insertions(+), 5 deletions(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index f42255021f..4a13120b17 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -142,6 +142,7 @@ export class NZISM36Checks extends NagPack { */ private checkAPIGW(node: CfnResource): void { this.applyRule({ + ruleSuffixOverride: 'API_GATEWAY_LOGGING', info: 'The API Gateway stage does not have execution logging enabled for all methods. | SHOULD 16.6.10.C.02[CID:2013], MUST 23.5.11.C.01[CID:7496] ', explanation: 'API Gateway logging displays detailed views of users who accessed the API and the way they accessed the API. This insight enables visibility of user activities.', @@ -158,6 +159,7 @@ export class NZISM36Checks extends NagPack { */ private checkCloudFront(node: CfnResource): void { this.applyRule({ + ruleSuffixOverride: 'CLOUDFRONT_DISTRIBUTION_LOGGING', info: 'The CloudFront distribution does not have access logging enabled. | SHOULD 16.6.10.C.02[CID:2013], MUST 23.5.11.C.01[CID:7496]', explanation: 'Enabling access logs helps operators track all viewer requests for the content delivered through the Content Delivery Network.', @@ -166,6 +168,7 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ + ruleSuffixOverride: 'CLOUDFRONT_REQUIRES_WAF', info: 'The CloudFront distribution requires integration with WAF | MUST 19.1.12.C.01[CID:3562]', explanation: 'The Web Application Firewall can help protect against application-layer attacks that can compromise the security of the system or place unnecessary load on them.', @@ -175,6 +178,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ + ruleSuffixOverride: 'CLOUDFRONT_OUTDATED_SSL', info: 'The CloudFront distribution allows for SSLv3 or TLSv1 for HTTPS viewer connections | MUST 16.1.37.C.01[CID:1847]', explanation: 'Vulnerabilities have been and continue to be discovered in the deprecated SSL and TLS protocols. Help protect viewer connections by specifying a viewer certificate that enforces a minimum of TLSv1.1 or TLSv1.2 in the security policy. Distributions that use the default CloudFront viewer certificate or use vip for the SslSupportMethod are non-compliant with this rule, as the minimum security policy is set to TLSv1 regardless of the specified MinimumProtocolVersion', @@ -183,8 +187,8 @@ export class NZISM36Checks extends NagPack { node: node, }); - // this rule is a new addition this.applyRule({ + ruleSuffixOverride: 'CLOUDFRONT_REQUIRES_ROOT_OBJECT', info: 'The Cloudfront distribution requires a default object | SHOULD 14.5.6.C.01[CID:1661]', explanation: 'Specifying a default root object lets you avoid exposing the contents of your distribution', @@ -201,6 +205,7 @@ export class NZISM36Checks extends NagPack { */ private checkCloudTrail(node: CfnResource): void { this.applyRule({ + ruleSuffixOverride: 'CLOUDTRAIL_REQUIRES_CLOUDWATCH', info: 'The trail does not have CloudWatch logs enabled | SHOULD 16.6.6.C.02[CID:1998], MUST 16.4.35.C.02[CID:6860])', explanation: 'Use Amazon CloudWatch to centrally collect and manage log event activity. Inclusion of AWS CloudTrail data provides details of API call activity within your AWS account.', @@ -210,6 +215,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ + ruleSuffixOverride: 'CLOUDTRAIL_REQUIRES_ENCRYPTION', info: 'The trail does not have encryption enabled | SHOULD 17.1.46.C.04[CID:2082]', explanation: 'Because sensitive data may exist and to help protect data at rest, ensure encryption is enabled for your AWS CloudTrail trails.', @@ -219,7 +225,8 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The trail does not have encryption enabled - MUST 16.6.12.C.01[CID:2022], MUST 23.5.11.C.01[CID:7496]', + ruleSuffixOverride: 'CLOUDTRAIL_LOGFILE_VALIDATION', + info: 'The trail does not have log file validation - MUST 16.6.12.C.01[CID:2022], MUST 23.5.11.C.01[CID:7496]', explanation: 'Utilize AWS CloudTrail log file validation to check the integrity of CloudTrail logs. Log file validation helps determine if a log file was modified or deleted or unchanged after CloudTrail delivered it. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection.', level: NagMessageLevel.ERROR, @@ -236,6 +243,7 @@ export class NZISM36Checks extends NagPack { private checkCloudWatch(node: CfnResource): void { this.applyRule({ + ruleSuffixOverride: 'CLOUDWATCH_RETENTION_PERIOD', info: 'The CloudWatch Log Group does not have an explicit retention period configured - SHOULD 16.6.6.C.02[CID:1998], MUST 16.6.13.C.01[CID:2028]', explanation: 'Ensure a minimum duration of event log data is retained for your log groups to help with troubleshooting and forensics investigations. The lack of available past event log data makes it difficult to reconstruct and identify potentially malicious events.', @@ -245,6 +253,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ + ruleSuffixOverride: 'CLOUDWATCH_ENCRYPT_WITH_KMS', info: 'The CloudWatch Log Group is not encrypted with an AWS KMS key | MUST 16.6.12.C.01[CID:2022], MUST 23.5.11.C.01[CID:7496]', explanation: 'To help protect sensitive data at rest, ensure encryption is enabled for your Amazon CloudWatch Log Groups.', @@ -261,6 +270,7 @@ export class NZISM36Checks extends NagPack { */ private checkDMS(node: CfnResource) { this.applyRule({ + ruleSuffixOverride: 'DMS_REPLICATION_NOT_PUBLIC', info: 'The DMS replication instance is public | MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466]', explanation: 'DMS replication instances can contain sensitive information and access control is required for such accounts.', @@ -277,6 +287,7 @@ export class NZISM36Checks extends NagPack { */ private checkDynamoDB(node: CfnResource) { this.applyRule({ + ruleSuffixOverride: 'DYNAMODB_AUTOSCALING', info: 'The provisioned capacity DynamoDB table does not have Auto Scaling enabled on its indexes | MUST 22.1.23.C.01[CID:4829]', explanation: 'Amazon DynamoDB auto scaling uses the AWS Application Auto Scaling service to adjust provisioned throughput capacity that automatically responds to actual traffic patterns. This enables a table or a global secondary index to increase its provisioned read/write capacity to handle sudden increases in traffic, without throttling.', @@ -285,6 +296,7 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ + ruleSuffixOverride: 'DYNAMODB_REQUIRES_BACKUP', info: 'The DynamoDB table is not in an AWS Backup plan - MUST 22.1.26.C.01[CID:4849]', explanation: 'To help with data back-up processes, ensure your Amazon DynamoDB tables are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements.', @@ -293,6 +305,7 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ + ruleSuffixOverride: 'DYNAMODB_MUST_HAVE_POINTINTIME_RECOVERY', info: 'The DynamoDB table does not have Point-in-time Recovery enabled | MUST 22.1.26.C.01[CID:4849]', explanation: 'The recovery maintains continuous backups of your table for the last 35 days.', @@ -309,6 +322,7 @@ export class NZISM36Checks extends NagPack { */ private checkEC2(node: CfnResource): void { this.applyRule({ + ruleSuffixOverride: 'EBS_NOT_IN_BACKUP', info: 'The EBS volume is not in an AWS Backup plan | MUST 22.1.26.C.01[CID:4849]', explanation: 'To help with data back-up processes, ensure your Amazon Elastic Block Store (Amazon EBS) volumes are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements.', @@ -318,6 +332,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ + ruleSuffixOverride: 'EC2_MUST_NOT_HAVE_PUBLIC_IP', info: 'The EC2 instance is associated with a public IP address | MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466]', explanation: 'Manage access to the AWS Cloud by ensuring Amazon Elastic Compute Cloud (Amazon EC2) instances cannot be publicly accessed. Amazon EC2 instances can contain sensitive information and access control is required for such accounts.', @@ -327,6 +342,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ + ruleSuffixOverride: 'EC2_MUST_BE_IN_VPC', info: 'The EC2 instance is not within a VPC - MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466]', explanation: 'Deploy Amazon Elastic Compute Cloud (Amazon EC2) instances within an Amazon Virtual Private Cloud (Amazon VPC) to enable secure communication between an instance and other services within the amazon VPC, without requiring an internet gateway, NAT device, or VPN connection. All traffic remains securely within the AWS Cloud. Because of their logical isolation, domains that reside within anAmazon VPC have an extra layer of security when compared to domains that use public endpoints. Assign Amazon EC2 instances to an Amazon VPC to properly manage access.', @@ -336,6 +352,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ + ruleSuffixOverride: 'EBS_VOLUME_ENCRYPTED', info: 'The EBS volume has encryption disabled- SHOULD 17.1.46.C.04[CID:2082], SHOULD 22.1.24.C.04[CID:4839]', explanation: 'With EBS encryption, you aren not required to build, maintain, and secure your own key management infrastructure. EBS encryption uses KMS keys when creating encrypted volumes and snapshots. This helps protect data at rest.', @@ -345,6 +362,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ + ruleSuffixOverride: 'UNRESTRICTED_SSH', info: 'The Security Group allows unrestricted SSH access - SHOULD 17.5.8.C.02[CID:2726]', explanation: 'Not allowing ingress (or remote) traffic from 0.0.0.0/0 or ::/0 to port 22 on your resources helps to restrict remote access.', @@ -353,8 +371,8 @@ export class NZISM36Checks extends NagPack { node: node, }); - // this is new rule this.applyRule({ + ruleSuffixOverride: 'SECURITYGROUP_ONLY_TCP443', info: 'The Security Group allows access other than tcp 443 - SHOULD 18.1.13.C.02[CID:3205]', explanation: 'Not allowing ingress (or remote) traffic to ports other than tcp port 443 helps improve security', @@ -363,8 +381,9 @@ export class NZISM36Checks extends NagPack { node: node, }); - // this can be modified to use EC2IMDVs enabled. + // this can be modified to use EC2IMDVs2 enabled. this.applyRule({ + ruleSuffixOverride: 'EC2IMDVS2_ENABLED', info: 'THe Ec2 Instance does not use IMDSv2 | MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466]', explanation: 'IMDSv2 adds additional protection by using session authentication to the Instance Meta Data Service', @@ -381,6 +400,7 @@ export class NZISM36Checks extends NagPack { */ private checkECS(node: CfnResource): void { this.applyRule({ + ruleSuffixOverride: 'ECS_TASK_DEFINITION_PRIVLIDGED', info: 'The ECS task definition is configured for host networking and has at least one container with definitions with privileged set to false or empty or user set to root or empty | SHOULD 14.1.8.C.01[CID:1149]', explanation: 'If a task definition has elevated privileges it is because you have specifically opted-in to those configurations. This rule checks for unexpected privilege escalation when a task definition has host networking enabled but the customer has not opted-in to elevated privileges.', @@ -397,6 +417,7 @@ export class NZISM36Checks extends NagPack { */ private checkEFS(node: CfnResource) { this.applyRule({ + ruleSuffixOverride: 'EFS_BACKUP_PLAN_REQUIRED', info: 'The EFS is not in an AWS Backup plan - MUST 22.1.26.C.01[CID:4849]', explanation: 'To help with data back-up processes, ensure your Amazon Elastic File System (Amazon EFS) file systems are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements.', @@ -405,6 +426,7 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ + ruleSuffixOverride: 'EFS_ENCRYPTION_REQUIRED', info: 'The EFS does not have encryption at rest enabled = SHOULD 17.1.46.C.04[CID:2082], SHOULD 22.1.24.C.04[CID:4839]', explanation: 'Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elastic File System (EFS).', @@ -421,6 +443,7 @@ export class NZISM36Checks extends NagPack { */ private checkElastiCache(node: CfnResource) { this.applyRule({ + ruleSuffixOverride: 'REDIS_BACKUP', info: 'The ElastiCache Redis cluster does not retain automatic backups for at least 15 day - MUST 22.1.26.C.01[CID:4849]', explanation: 'Automatic backups can help guard against data loss. If a failure occurs, you can create a new cluster, which restores your data from the most recent backup.', @@ -437,6 +460,7 @@ export class NZISM36Checks extends NagPack { */ private checkElasticBeanstalk(node: CfnResource): void { this.applyRule({ + ruleSuffixOverride: 'ELASTIC_BEANSTALK_UPDATES', info: 'The Elastic Beanstalk environment does not have enhanced health reporting enabled | SHOULD 12.4.4.C.05[CID:3452]', explanation: 'Enabling managed platform updates for an Amazon Elastic Beanstalk environment ensures that the latest available platform fixes, updates, and features for the environment are installed. Keeping up to date with patch installation is a best practice in securing systems.', @@ -454,6 +478,7 @@ export class NZISM36Checks extends NagPack { private checkELB(node: CfnResource): void { this.applyRule({ + ruleSuffixOverride: 'ALB_HTTP_TO_HTTPS_REDIRECTION', info: 'The ALBs HTTP listeners are not configured to redirect to HTTPS | MUST 16.1.37.C.01[CID:1847], MUST 17.1.48.C.03[CID:2091]', explanation: 'To help protect data in transit, ensure that your Application Load Balancer automatically redirects unencrypted HTTP requests to HTTPS. Because sensitive data can exist, enable encryption in transit to help protect that data.', @@ -463,6 +488,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ + ruleSuffixOverride: 'ALB_REQUIRES_WAF', info: 'The ALB is not associated with AWS WAFv2 web ACL | MUST 19.1.12.C.01[CID:3562], SHOULD 20.3.7.C.02[CID:4333], MUST 23.4.10.C.01[CID:7466]', explanation: 'A WAF helps to protect your web applications or APIs against common web exploits. These web exploits may affect availability, compromise security, or consume excessive resources within your environment.', @@ -472,6 +498,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ + ruleSuffixOverride: 'ELB_CROSS_ZONE_LOADBALANCING', info: 'MUST 22.1.23.C.01[CID:4829]| Enterprise systems security/Cloud Computing/System Availability', explanation: "Enable cross-zone load balancing for your Classic Load Balancers (CLBs) to help maintain adequate capacity and availability. The cross-zone load balancing reduces the need to maintain equivalent numbers of instances in each enabled availability zone. It also improves your application's ability to handle the loss of one or more instances.", @@ -481,6 +508,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ + ruleSuffixOverride: 'ELB_LOGGING_ENABLED', info: 'The ELB does not have logging enabled | SHOULD 16.6.10.C.02[CID:2013], MUST 23.5.11.C.01[CID:7496]', explanation: "Elastic Load Balancing activity is a central point of communication within an environment. Ensure ELB logging is enabled. The collected data provides detailed information about requests sent to The ELB. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses.", @@ -489,7 +517,8 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - info: 'The CLB does not restrict its listeners to only the SSL and HTTPS protocol | SHOULD 14.5.8.C.01[CID:1667], MUST 16.1.37.C.01[CID:1847], MUST 17.1.48.C.03[CID:2091], SHOULD 22.1.24.C.04[CID:4839]', + ruleSuffixOverride: 'ELB_HTTPS_LISTENER_ONLY', + info: 'The ELB does not restrict its listeners to only the SSL and HTTPS protocol | SHOULD 14.5.8.C.01[CID:1667], MUST 16.1.37.C.01[CID:1847], MUST 17.1.48.C.03[CID:2091], SHOULD 22.1.24.C.04[CID:4839]', explanation: 'Ensure that your Classic Load Balancers (CLBs) are configured with SSL or HTTPS listeners. Because sensitive data can exist, enable encryption in transit to help protect that data.', level: NagMessageLevel.ERROR, @@ -505,6 +534,7 @@ export class NZISM36Checks extends NagPack { */ private checkIAM(node: CfnResource): void { this.applyRule({ + ruleSuffixOverride: 'IAM_NO_ADMIN_ACCESS', info: 'The IAM policy grants admin access, meaning the policy allows a principal to perform all actions on all resources | SHOULD 16.3.5.C.02[CID:1946]', explanation: 'AWS Identity and Access Management (IAM) can help you incorporate the principles of least privilege and separation of duties with access permissions and authorizations, by ensuring that IAM groups have at least one IAM user. Placing IAM users in groups based on their associated permissions or job function is one way to incorporate least privilege.', @@ -521,6 +551,7 @@ export class NZISM36Checks extends NagPack { */ private checkKMS(node: CfnResource): void { this.applyRule({ + ruleSuffixOverride: 'KMS_KEY_ROTATION', info: 'The KMS Symmetric key does not have automatic key rotation enabled | SHOULD 17.9.25.C.01[CID:3021]', explanation: 'Enable key rotation to ensure that keys are rotated once they have reached the end of their crypto period.', @@ -537,6 +568,7 @@ export class NZISM36Checks extends NagPack { private checkLambda(node: CfnResource) { this.applyRule({ + ruleSuffixOverride: 'LAMBDA_NO_PUBLIC_ACCESS', info: 'The Lambda function permission grants public access - MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466]', explanation: 'Public access allows anyone on the internet to perform unauthenticated actions on your function and can potentially lead to degraded availability.', @@ -553,6 +585,7 @@ export class NZISM36Checks extends NagPack { */ private checkOpenSearch(node: CfnResource) { this.applyRule({ + ruleSuffixOverride: 'OPENSEARCH_ENCRYPTION_AT_REST', info: 'The OpenSearch Service domain does not have encryption at rest enabled | SHOULD 17.1.46.C.04[CID:2082], SHOULD 20.4.4.C.02[CID:4441], SHOULD 22.1.24.C.04[CID:4839]', explanation: 'Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon OpenSearch Service (OpenSearch Service) domains.', @@ -562,6 +595,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ + ruleSuffixOverride: 'OPENSEARCH_MUST_BE_ON_VPC', info: 'The OpenSearch Service domain is not running within a VPC | MUST 19.1.12.C.01[CID:3562], SHOULD 19.1.14.C.02[CID:3623]', explanation: 'VPCs help secure your AWS resources and provide an extra layer of protection.', @@ -571,6 +605,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ + ruleSuffixOverride: 'OPENSEARCH_NODE_TO_NODE_ENCRYPTION', info: 'The OpenSearch Service domain does not have node-to-node encryption enabled | MUST 16.1.37.C.01[CID:1847], SHOULD 22.1.24.C.04[CID:4839]', explanation: 'Because sensitive data can exist, enable encryption in transit to help protect that data within your Amazon OpenSearch Service (OpenSearch Service) domains.', @@ -587,6 +622,7 @@ export class NZISM36Checks extends NagPack { */ private checkRDS(node: CfnResource): void { this.applyRule({ + ruleSuffixOverride: 'RDS_DELETION_PROTECTION', info: 'The RDS DB Instance or Aurora Cluster does not have deletion protection enabled | MUST 22.1.26.C.01[CID:4849]', explanation: 'Ensure Amazon Relational Database Service (Amazon RDS) instances and clusters have deletion protection enabled. Use deletion protection to prevent your Amazon RDS DB instances and clusters from being accidentally or maliciously deleted, which can lead to loss of availability for your applications.', @@ -596,6 +632,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ + ruleSuffixOverride: 'RDS_MULTIAZ', info: 'The RDS DB Instance does not have multi-AZ support | MUST 22.1.23.C.01[CID:4829]', explanation: 'Ensure Amazon Relational Database Service (Amazon RDS) instances and clusters have deletion protection enabled. Use deletion protection to prevent your Amazon RDS DB instances and clusters from being accidentally or maliciously deleted, which can lead to loss of availability for your applications.', @@ -605,6 +642,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ + ruleSuffixOverride: 'RDS_BACKUP', info: 'The RDS DB instance is not in an AWS Backup plan | MUST 22.1.26.C.01[CID:4849]', explanation: 'To help with data back-up processes, ensure your Amazon Relational Database Service (Amazon RDS) instances are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements.', @@ -614,6 +652,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ + ruleSuffixOverride: 'RDS_PUBLIC_ACCESS', info: 'The RDS DB Instance allows public access | MUST 19.1.12.C.01[CID:3562], SHOULD 19.1.14.C.02[CID:3623], MUST 23.4.10.C.01[CID:7466]', explanation: 'Amazon RDS database instances can contain sensitive information, and principles and access control is required for such accounts.', @@ -623,6 +662,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ + ruleSuffixOverride: 'RDS_LOGGING', info: 'The non-Aurora RDS DB instance or Aurora cluster does not have all CloudWatch log types exported | SHOULD 16.6.10.C.02[CID:2013], SHOULD 20.4.4.C.02[CID:4441], SHOULD 20.4.5.C.02[CID:4445], MUST 23.5.11.C.01[CID:7496]', explanation: 'To help with logging and monitoring within your environment, ensure Amazon Relational Database Service (Amazon RDS) logging is enabled. With Amazon RDS logging, you can capture events such as connections, disconnections, queries, or tables queried.' + @@ -633,6 +673,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ + ruleSuffixOverride: 'RDS_STORAGE', info: 'The RDS DB Instance or Aurora Cluster does not have storage encrypted | SHOULD 17.1.46.C.04[CID:2082], SHOULD 20.4.4.C.02[CID:4441], SHOULD 22.1.24.C.04[CID:4839]', explanation: 'Because sensitive data can exist at rest in Amazon RDS instances, enable encryption at rest to help protect that data.', @@ -642,6 +683,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ + ruleSuffixOverride: 'RDS_MINOR_PATCHING', info: 'RDS DB Instance is not configured for minor patches | SHOULD 12.4.4.C.05[CID:3452]', explanation: 'Provides automatic Patching in the Database', level: NagMessageLevel.WARN, @@ -657,6 +699,7 @@ export class NZISM36Checks extends NagPack { */ private checkRedshift(node: CfnResource): void { this.applyRule({ + ruleSuffixOverride: 'REDSHIFT_BACKUP', info: 'The Redshift cluster does not have automated snapshots enabled or the retention period is not between 1 and 35 days | MUST 22.1.26.C.01[CID:4849]', explanation: 'To help with data back-up processes, ensure your Amazon Redshift clusters have automated snapshots. When automated snapshots are enabled for a cluster, Redshift periodically takes snapshots of that cluster. By default, Redshift takes a snapshot every eight hours or every 5 GB per node of data changes, or whichever comes first.', @@ -666,6 +709,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ + ruleSuffixOverride: 'REDSHIFT_LOGGING', info: 'The Redshift cluster does not have encryption or audit logging enabled | SHOULD 20.4.4.C.02[CID:4441], SHOULD 20.4.5.C.02[CID:4445], SHOULD 22.1.24.C.04[CID:4839]', explanation: 'To protect data at rest, ensure that encryption is enabled for your Amazon Redshift clusters. You must also ensure that required configurations are deployed on Amazon Redshift clusters. The audit logging should be enabled to provide information about connections and user activities in the database.', @@ -675,6 +719,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ + ruleSuffixOverride: 'REDSHIFT_MAINTAINANCE', info: 'The Redshift cluster does not have version upgrades enabled, automated snapshot retention periods enabled, and an explicit maintenance window configure MUST 12.4.4.C.02[CID:3449], SHOULD 12.4.4.C.06[CID:3453]', explanation: 'Ensure that Amazon Redshift clusters have the preferred settings for your organization. Specifically, that they have preferred maintenance windows and automated snapshot retention periods for the database. ', @@ -684,6 +729,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ + ruleSuffixOverride: 'REDSHIFT_NOT_PUBLIC', info: 'Redshift must not be made publically avaialble | MUST 19.1.12.C.01[CID:3562], SHOULD 19.1.14.C.02[CID:3623], MUST 23.4.10.C.01[CID:7466]', explanation: 'Amazon Redshift clusters can contain sensitive information and principles and access control is required for such accounts.', @@ -693,6 +739,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ + ruleSuffixOverride: 'REDSHIFT_ENCRYPTION', info: 'The Redshift cluster must use TLS/SSL encryption. MUST 17.1.48.C.03[CID:2091], SHOULD 22.1.24.C.04[CID:4839]', explanation: 'Ensure that your Amazon Redshift clusters require TLS/SSL encryption to connect to SQL clients. Because sensitive data can exist, enable encryption in transit to help protect that data.', @@ -709,6 +756,7 @@ export class NZISM36Checks extends NagPack { */ private checkS3(node: CfnResource): void { this.applyRule({ + ruleSuffixOverride: 'S3_PUBLIC_ACCESS', info: 'The S3 bucket does not prohibit public access through bucket level settings SHOULD 22.1.24.C.03[CID:4838]', explanation: 'Keep sensitive data safe from unauthorized remote users by preventing public access at the bucket level.', @@ -718,6 +766,7 @@ export class NZISM36Checks extends NagPack { }); // THIS IS NEW RULE. this.applyRule({ + ruleSuffixOverride: 'S3_SERVERSIDE_ENCRYPTION', info: 'The S3 Bucket does not have default server-side encryption enabled | SHOULD 17.1.46.C.04[CID:2082]', explanation: 'Because sensitive data can exist at rest in Amazon S3 buckets, enable encryption to help protect that data.', @@ -726,6 +775,7 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ + ruleSuffixOverride: 'S3_POLICY_SSL', info: 'The S3 Bucket or bucket policy does not require requests to use SSL | SHOULD 22.1.24.C.04[CID:4839]|', explanation: 'To help protect data in transit, ensure that your Amazon Simple Storage Service (Amazon S3) buckets require requests to use Secure Socket Layer (SSL). Because sensitive data can exist, enable encryption in transit to help protect that data.', @@ -734,6 +784,7 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ + ruleSuffixOverride: 'S3_SEVER_ACCESS_LOGS', info: 'The S3 Buckets does not have server access logs enabled | MUST 22.1.26.C.01[CID:4849]', explanation: 'Amazon Simple Storage Service (Amazon S3) server access logging provides a method to monitor the network for potential cybersecurity events. The events are monitored by capturing detailed records for the requests that are made to an Amazon S3 bucket. Each access log record provides details about a single access request. The details include the requester, bucket name, request time, request action, response status, and an error code, if relevant.', @@ -743,6 +794,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ + ruleSuffixOverride: 'S3_PUBLIC_READ', info: 'The S3 Bucket does not prohibit public read access through its Block Public Access configurations and bucket ACLs | SHOULD 22.1.24.C.03[CID:4838]', explanation: 'The management of access should be consistent with the classification of the data.', @@ -751,6 +803,7 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ + ruleSuffixOverride: 'S3_PUBLIC_WRITE', info: 'The S3 Bucket does not prohibit public write access through its Block Public Access configurations and bucket ACLs | SHOULD 22.1.24.C.03[CID:4838]', explanation: 'The management of access should be consistent with the classification of the data.', @@ -759,6 +812,7 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ + ruleSuffixOverride: 'S3_VERSIONING', info: 'The S3 Bucket does not have versioning enabled | MUST 22.1.26.C.01[CID:4849]', explanation: 'Use versioning to preserve, retrieve, and restore every version of every object stored in your Amazon S3 bucket. Versioning helps you to easily recover from unintended user actions and application failures.', @@ -767,6 +821,7 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ + ruleSuffixOverride: 'S3_KMS_ENCRYPTION', info: 'The S3 Bucket is not encrypted with a KMS Key by default | SHOULD 17.1.46.C.04[CID:2082]| Cryptography/Cryptographic Fundamentals/Reducing storage and physical transfer requirements', explanation: 'Ensure that encryption is enabled for your Amazon Simple Storage Service (Amazon S3) buckets. Because sensitive data can exist at rest in an Amazon S3 bucket, enable encryption at rest to help protect that data.', @@ -783,6 +838,7 @@ export class NZISM36Checks extends NagPack { */ private checkSageMaker(node: CfnResource) { this.applyRule({ + ruleSuffixOverride: 'SAGEMAKER_ENDPOINT_KMS', info: 'The SageMaker resource endpoint is not encrypted with a KMS key | SHOULD 22.1.24.C.04[CID:4839]', explanation: 'Because sensitive data can exist at rest in SageMaker endpoint, enable encryption at rest to help protect that data.', @@ -791,6 +847,7 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ + ruleSuffixOverride: 'SAGEMAKER_NOTEBOOK_KMS', info: 'The SageMaker notebook is not encrypted with a KMS key | SHOULD 22.1.24.C.04[CID:4839]', explanation: 'Because sensitive data can exist at rest in SageMaker notebook, enable encryption at rest to help protect that data.', @@ -799,6 +856,7 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ + ruleSuffixOverride: 'SAGEMAKER_NOTEBOOK_NO_INTERNET_ACCESS', info: 'The SageMaker notebook does not disable direct internet access | MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466]', explanation: 'By preventing direct internet access, you can keep sensitive data from being accessed by unauthorized users.', @@ -815,6 +873,7 @@ export class NZISM36Checks extends NagPack { */ private checkSecretsManager(node: CfnResource): void { this.applyRule({ + ruleSuffixOverride: 'SECRET_KMS', info: 'The secret is not encrypted with a KMS Customer managed key | SHOULD 22.1.24.C.04[CID:4839]', explanation: 'To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for AWS Secrets Manager secrets. Because sensitive data can exist at rest in Secrets Manager secrets, enable encryption at rest to help protect that data.', @@ -831,6 +890,7 @@ export class NZISM36Checks extends NagPack { */ private checkSNS(node: CfnResource): void { this.applyRule({ + ruleSuffixOverride: 'SNS_KMS', info: 'The SNS topic does not have KMS encryption enabled | SHOULD 22.1.24.C.04[CID:4839]', explanation: 'To help protect data at rest, ensure that your Amazon Simple Notification Service (Amazon SNS) topics require encryption using AWS Key Management Service (AWS KMS) Because sensitive data can exist at rest in published messages, enable encryption at rest to help protect that data.', @@ -847,6 +907,7 @@ export class NZISM36Checks extends NagPack { */ private checkVPC(node: CfnResource): void { this.applyRule({ + ruleSuffixOverride: 'VPC_DEFAULT_SECURITY_GROUP_CLOSED', info: 'The VPCs default security group allows inbound or outbound traffic MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466]', explanation: 'Amazon Elastic Compute Cloud (Amazon EC2) security groups can help in the management of network access by providing stateful filtering of ingress and egress network traffic to AWS resources. Restricting all the traffic on the default security group helps in restricting remote access to your AWS resources.', @@ -855,6 +916,7 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ + ruleSuffixOverride: 'VPC_FLOW_LOG', info: 'The VPC does not have an associated Flow Log | MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466]', explanation: 'The VPC flow logs provide detailed records for information about the IP traffic going to and from network interfaces in your Amazon Virtual Private Cloud (Amazon VPC). By default, the flow log record includes values for the different components of the IP flow, including the source, destination, and protocol.', @@ -871,6 +933,7 @@ export class NZISM36Checks extends NagPack { */ private checkWAF(node: CfnResource): void { this.applyRule({ + ruleSuffixOverride: 'WAF_LOGGING', info: 'The WAFv2 web ACL does not have logging enabled | SHOULD 16.6.10.C.02[CID:2013], MUST 23.5.11.C.01[CID:7496]', explanation: 'AWS WAF logging provides detailed information about the traffic that is analyzed by your web ACL. The logs record the time that AWS WAF received the request from your AWS resource, information about the request, and an action for the rule that each request matched.', diff --git a/test/Packs.test.ts b/test/Packs.test.ts index b6de2d5614..5fd2d174bf 100644 --- a/test/Packs.test.ts +++ b/test/Packs.test.ts @@ -13,6 +13,7 @@ import { NIST80053R5Checks, NagMessageLevel, PCIDSS321Checks, + NZISM36Checks, } from '../src'; describe('Check NagPack Details', () => { @@ -625,4 +626,104 @@ describe('Check NagPack Details', () => { expect(pack.actualErrors.sort()).toEqual(expectedErrors.sort()); }); }); + describe('NZISM3.6', () => { + class NZISM36ChecksExtended extends NZISM36Checks { + actualWarnings = new Array(); + actualErrors = new Array(); + applyRule(params: IApplyRule): void { + const ruleSuffix = params.ruleSuffixOverride + ? params.ruleSuffixOverride + : params.rule.name; + const ruleId = `${pack.readPackName}-${ruleSuffix}`; + if (params.level === NagMessageLevel.WARN) { + this.actualWarnings.push(ruleId); + } else { + this.actualErrors.push(ruleId); + } + } + } + const pack = new NZISM36ChecksExtended(); + test('Pack Name is correct', () => { + expect(pack.readPackName).toStrictEqual('NZISM3.6'); + }); + test('Pack contains expected warning and error rules', () => { + const expectedWarnings = [ + 'NZISM3.6-CLOUDFRONT_REQUIRES_ROOT_OBJECT', + 'NZISM3.6-CLOUDTRAIL_REQUIRES_ENCRYPTION', + 'NZISM3.6-EBS_VOLUME_ENCRYPTED', + 'NZISM3.6-ECS_TASK_DEFINITION_PRIVLIDGED', + 'NZISM3.6-EFS_ENCRYPTION_REQUIRED', + 'NZISM3.6-ELASTIC_BEANSTALK_UPDATES', + 'NZISM3.6-IAM_NO_ADMIN_ACCESS', + 'NZISM3.6-KMS_KEY_ROTATION', + 'NZISM3.6-OPENSEARCH_ENCRYPTION_AT_REST', + 'NZISM3.6-RDS_MINOR_PATCHING', + 'NZISM3.6-RDS_STORAGE', + 'NZISM3.6-S3_KMS_ENCRYPTION', + 'NZISM3.6-S3_POLICY_SSL', + 'NZISM3.6-S3_PUBLIC_ACCESS', + 'NZISM3.6-S3_PUBLIC_READ', + 'NZISM3.6-S3_PUBLIC_WRITE', + 'NZISM3.6-S3_SERVERSIDE_ENCRYPTION', + 'NZISM3.6-SAGEMAKER_ENDPOINT_KMS', + 'NZISM3.6-SAGEMAKER_NOTEBOOK_KMS', + 'NZISM3.6-SECRET_KMS', + 'NZISM3.6-SECURITYGROUP_ONLY_TCP443', + 'NZISM3.6-SNS_KMS', + ]; + + const expectedErrors = [ + 'NZISM3.6-ALB_HTTP_TO_HTTPS_REDIRECTION', + 'NZISM3.6-ALB_REQUIRES_WAF', + 'NZISM3.6-API_GATEWAY_LOGGING', + 'NZISM3.6-CLOUDFRONT_DISTRIBUTION_LOGGING', + 'NZISM3.6-CLOUDFRONT_OUTDATED_SSL', + 'NZISM3.6-CLOUDFRONT_REQUIRES_WAF', + 'NZISM3.6-CLOUDTRAIL_LOGFILE_VALIDATION', + 'NZISM3.6-CLOUDTRAIL_REQUIRES_CLOUDWATCH', + 'NZISM3.6-CLOUDWATCH_ENCRYPT_WITH_KMS', + 'NZISM3.6-CLOUDWATCH_RETENTION_PERIOD', + 'NZISM3.6-DMS_REPLICATION_NOT_PUBLIC', + 'NZISM3.6-DYNAMODB_AUTOSCALING', + 'NZISM3.6-DYNAMODB_MUST_HAVE_POINTINTIME_RECOVERY', + 'NZISM3.6-DYNAMODB_REQUIRES_BACKUP', + 'NZISM3.6-EBS_NOT_IN_BACKUP', + 'NZISM3.6-EC2IMDVS2_ENABLED', + 'NZISM3.6-EC2_MUST_BE_IN_VPC', + 'NZISM3.6-EC2_MUST_NOT_HAVE_PUBLIC_IP', + 'NZISM3.6-EFS_BACKUP_PLAN_REQUIRED', + 'NZISM3.6-ELB_CROSS_ZONE_LOADBALANCING', + 'NZISM3.6-ELB_HTTPS_LISTENER_ONLY', + 'NZISM3.6-ELB_LOGGING_ENABLED', + 'NZISM3.6-LAMBDA_NO_PUBLIC_ACCESS', + 'NZISM3.6-OPENSEARCH_MUST_BE_ON_VPC', + 'NZISM3.6-OPENSEARCH_NODE_TO_NODE_ENCRYPTION', + 'NZISM3.6-RDS_BACKUP', + 'NZISM3.6-RDS_DELETION_PROTECTION', + 'NZISM3.6-RDS_LOGGING', + 'NZISM3.6-RDS_MULTIAZ', + 'NZISM3.6-RDS_PUBLIC_ACCESS', + 'NZISM3.6-REDIS_BACKUP', + 'NZISM3.6-REDSHIFT_BACKUP', + 'NZISM3.6-REDSHIFT_ENCRYPTION', + 'NZISM3.6-REDSHIFT_LOGGING', + 'NZISM3.6-REDSHIFT_MAINTAINANCE', + 'NZISM3.6-REDSHIFT_NOT_PUBLIC', + 'NZISM3.6-S3_SEVER_ACCESS_LOGS', + 'NZISM3.6-S3_VERSIONING', + 'NZISM3.6-SAGEMAKER_NOTEBOOK_NO_INTERNET_ACCESS', + 'NZISM3.6-UNRESTRICTED_SSH', + 'NZISM3.6-VPC_DEFAULT_SECURITY_GROUP_CLOSED', + 'NZISM3.6-VPC_FLOW_LOG', + 'NZISM3.6-WAF_LOGGING', + ]; + jest.spyOn(pack, 'applyRule'); + const stack = new Stack(); + Aspects.of(stack).add(pack); + new CfnResource(stack, 'rTestResource', { type: 'foo' }); + SynthUtils.synthesize(stack).messages; + expect(pack.actualWarnings.sort()).toEqual(expectedWarnings.sort()); + expect(pack.actualErrors.sort()).toEqual(expectedErrors.sort()); + }); + }); }); diff --git a/test/rules/CloudFront.test.ts b/test/rules/CloudFront.test.ts index bff5cd9a98..fa26385c81 100644 --- a/test/rules/CloudFront.test.ts +++ b/test/rules/CloudFront.test.ts @@ -23,6 +23,7 @@ import { CloudFrontDistributionNoOutdatedSSL, CloudFrontDistributionS3OriginAccessIdentity, CloudFrontDistributionWAFIntegration, + CloudFrontDefaultRootObjectConfigured, } from '../../src/rules/cloudfront'; const testPack = new TestPack([ @@ -32,6 +33,7 @@ const testPack = new TestPack([ CloudFrontDistributionNoOutdatedSSL, CloudFrontDistributionS3OriginAccessIdentity, CloudFrontDistributionWAFIntegration, + CloudFrontDefaultRootObjectConfigured, ]); let stack: Stack; @@ -397,4 +399,29 @@ describe('Amazon CloudFront', () => { validateStack(stack, ruleId, TestType.COMPLIANCE); }); }); + + describe('CloudFrontDefaultRootObjectConfigured: CloudFront distributions require a default object', () => { + const ruleId = 'CloudFrontDefaultRootObjectConfigured'; + + // Non Compliance + test('Noncompliance ', () => { + new Distribution(stack, 'rDistribution', { + defaultBehavior: { + origin: new S3Origin(new Bucket(stack, 'rOriginBucket')), + }, + }); + validateStack(stack, ruleId, TestType.NON_COMPLIANCE); + }); + + // Compliance + test('Compliance', () => { + new Distribution(stack, 'rDistribution', { + defaultBehavior: { + origin: new S3Origin(new Bucket(stack, 'rOriginBucket')), + }, + defaultRootObject: 'index.html', + }); + validateStack(stack, ruleId, TestType.COMPLIANCE); + }); + }); }); diff --git a/test/rules/EC2.test.ts b/test/rules/EC2.test.ts index a08925be7c..264f2c39f9 100644 --- a/test/rules/EC2.test.ts +++ b/test/rules/EC2.test.ts @@ -46,6 +46,7 @@ import { EC2RestrictedInbound, EC2RestrictedSSH, EC2SecurityGroupDescription, + EC2SecurityGroupOnlyTcp443, } from '../../src/rules/ec2'; const testPack = new TestPack([ @@ -62,6 +63,7 @@ const testPack = new TestPack([ EC2RestrictedInbound, EC2RestrictedSSH, EC2SecurityGroupDescription, + EC2SecurityGroupOnlyTcp443, ]); let stack: Stack; @@ -1163,3 +1165,158 @@ describe('Amazon Elastic Block Store (EBS)', () => { }); }); }); + +describe('EC2SecurityGroupOnlyTcp443: Security Groups should only allow TCP 443 from everything', () => { + const ruleId = 'EC2SecurityGroupOnlyTcp443'; + + test('a non compliant ipv6 rule', () => { + new CfnSecurityGroup(stack, 'rSecurityGroup', { + groupDescription: 'security group tcp port 80 open on port 80', + securityGroupIngress: [ + { + toPort: 80, + ipProtocol: 'tcp', + cidrIpv6: '::0/0', + }, + ], + }); + validateStack(stack, ruleId, TestType.NON_COMPLIANCE); + }); + + test('a compliant ipv6 rule', () => { + new CfnSecurityGroup(stack, 'rSecurityGroup', { + groupDescription: 'ipv6 to non ::0/0', + securityGroupIngress: [ + { + toPort: 80, + ipProtocol: 'tcp', + cidrIpv6: '2002::1234:abcd:ffff:c0a8:101/64', + }, + ], + }); + validateStack(stack, ruleId, TestType.COMPLIANCE); + }); + + test('no specified port', () => { + new CfnSecurityGroup(stack, 'rSecurityGroup', { + groupDescription: 'security group tcp port 80 open', + securityGroupIngress: [ + { + ipProtocol: 'tcp', + cidrIp: '0.0.0.0/0', + }, + ], + }); + validateStack(stack, ruleId, TestType.NON_COMPLIANCE); + }); + + test('tcp port other than 443 from 0/0', () => { + new CfnSecurityGroup(stack, 'rSecurityGroup', { + groupDescription: 'security group tcp port 80 open', + securityGroupIngress: [ + { + toPort: 80, + ipProtocol: 'tcp', + cidrIp: '0.0.0.0/0', + }, + ], + }); + validateStack(stack, ruleId, TestType.NON_COMPLIANCE); + }); + + test('udp port from 0/0', () => { + new CfnSecurityGroup(stack, 'rSecurityGroup2', { + groupDescription: 'security group with udp port 53', + securityGroupIngress: [ + { + toPort: 53, + ipProtocol: 'udp', + cidrIp: '0.0.0.0/0', + }, + ], + }); + validateStack(stack, ruleId, TestType.NON_COMPLIANCE); + }); + + test('ipv4 tcp443 from anywhere', () => { + new CfnSecurityGroup(stack, 'rSecurityGroup2', { + groupDescription: 'security group with tcp 443 ingress allowed', + securityGroupIngress: [ + { + toPort: 443, + ipProtocol: 'tcp', + cidrIp: '0.0.0.0/0', + }, + ], + }); + validateStack(stack, ruleId, TestType.COMPLIANCE); + }); + + test('tcp80 from 10/8', () => { + new CfnSecurityGroup(stack, 'rSecurityGroup2', { + groupDescription: 'security group with tcp 443 ingress allowed', + securityGroupIngress: [ + { + toPort: 80, + ipProtocol: 'tcp', + cidrIp: '10.0.0.0/8', + }, + ], + }); + validateStack(stack, ruleId, TestType.COMPLIANCE); + }); + + test('ingressGroupCompliant', () => { + new CfnSecurityGroupIngress(stack, 'ingressGroup', { + ipProtocol: 'tcp', + toPort: 443, + cidrIp: '0.0.0.0/0', + }); + validateStack(stack, ruleId, TestType.COMPLIANCE); + }); + + test('ingressGroupNonCompliant', () => { + new CfnSecurityGroupIngress(stack, 'ingressGroup', { + ipProtocol: 'tcp', + toPort: 80, + cidrIp: '0.0.0.0/0', + }); + validateStack(stack, ruleId, TestType.NON_COMPLIANCE); + }); + + test('ingressGroupNonCompliant', () => { + new CfnSecurityGroupIngress(stack, 'ingressGroup', { + ipProtocol: 'tcp', + toPort: 443, + cidrIp: '10.0.0.0/8', + }); + validateStack(stack, ruleId, TestType.COMPLIANCE); + }); + + test('ingressgroup, ipv6 compliant', () => { + new CfnSecurityGroupIngress(stack, 'ingressGroup', { + ipProtocol: 'tcp', + toPort: 443, + cidrIpv6: '::/0', + }); + validateStack(stack, ruleId, TestType.COMPLIANCE); + }); + + test('ingressGroup, non compliant', () => { + new CfnSecurityGroupIngress(stack, 'ingressGroup', { + ipProtocol: 'tcp', + toPort: 80, + cidrIpv6: '::/0', + }); + validateStack(stack, ruleId, TestType.NON_COMPLIANCE); + }); + + test('ingressGroupnonopenCompliant', () => { + new CfnSecurityGroupIngress(stack, 'ingressGroup', { + ipProtocol: 'tcp', + toPort: 80, + cidrIpv6: 'FE80:CD00:0:CDE:1257:0:211E:729C/64', + }); + validateStack(stack, ruleId, TestType.COMPLIANCE); + }); +}); diff --git a/test/rules/S3.test.ts b/test/rules/S3.test.ts index c8dff9e555..e0e3081843 100644 --- a/test/rules/S3.test.ts +++ b/test/rules/S3.test.ts @@ -35,6 +35,7 @@ import { S3BucketVersioningEnabled, S3DefaultEncryptionKMS, S3WebBucketOAIAccess, + S3BucketServerSideEncryptionEnabled, } from '../../src/rules/s3'; const testPack = new TestPack([ @@ -48,6 +49,7 @@ const testPack = new TestPack([ S3BucketVersioningEnabled, S3DefaultEncryptionKMS, S3WebBucketOAIAccess, + S3BucketServerSideEncryptionEnabled, ]); let stack: Stack; @@ -254,6 +256,20 @@ describe('Amazon Simple Storage Service (S3)', () => { }); }); + describe('S3BucketServerSideEncryptionEnabled: S3 Buckets have default server-side encryption enabled', () => { + const ruleId = 'S3BucketServerSideEncryptionEnabled'; + test('Noncompliance 1', () => { + new Bucket(stack, 'rBucket'); + validateStack(stack, ruleId, TestType.NON_COMPLIANCE); + }); + test('Compliance', () => { + new Bucket(stack, 'rBucket', { + encryption: BucketEncryption.S3_MANAGED, + }); + validateStack(stack, ruleId, TestType.COMPLIANCE); + }); + }); + describe('S3BucketReplicationEnabled: S3 Buckets have replication enabled', () => { const ruleId = 'S3BucketReplicationEnabled'; test('Noncompliance 1', () => { From ab584987db8143cca60de83b9e9131395b5c4f7e Mon Sep 17 00:00:00 2001 From: mrpackethead Date: Mon, 4 Sep 2023 04:32:21 +0000 Subject: [PATCH 04/85] fix: change to ec2securitygroupOnlyTcp443 --- src/rules/ec2/EC2SecurityGroupOnlyTcp443.ts | 34 ++++++++++++--------- 1 file changed, 19 insertions(+), 15 deletions(-) diff --git a/src/rules/ec2/EC2SecurityGroupOnlyTcp443.ts b/src/rules/ec2/EC2SecurityGroupOnlyTcp443.ts index 4977c3f1fa..83d3a94169 100644 --- a/src/rules/ec2/EC2SecurityGroupOnlyTcp443.ts +++ b/src/rules/ec2/EC2SecurityGroupOnlyTcp443.ts @@ -64,32 +64,36 @@ export default Object.defineProperty( return NagRuleCompliance.COMPLIANT; } else if (node instanceof CfnSecurityGroupIngress) { - const ipProtocol = NagRules.resolveIfPrimitive(node, node.ipProtocol); - const toPort = NagRules.resolveIfPrimitive(node, node.toPort); const resolvedcidrIp = NagRules.resolveIfPrimitive(node, node.cidrIp); const resolvedcidrIpv6 = NagRules.resolveIfPrimitive(node, node.cidrIpv6); // if ipv4 if (resolvedcidrIp) { - if (resolvedcidrIp === '0.0.0.0/0') { - if (toPort === 443 && ipProtocol === 'tcp') { - return NagRuleCompliance.COMPLIANT; - } - return NagRuleCompliance.NON_COMPLIANT; + // if the rule is not open to the world, it is compliant + if (!resolvedcidrIp.includes('/0')) { + return NagRuleCompliance.COMPLIANT; } - return NagRuleCompliance.COMPLIANT; } - // if ipv6 if (resolvedcidrIpv6) { - if (resolvedcidrIpv6 === '::/0') { - if (toPort === 443 && ipProtocol === 'tcp') { - return NagRuleCompliance.COMPLIANT; - } - return NagRuleCompliance.NON_COMPLIANT; + // if the rule is not open to the world, it is compliant + if (!resolvedcidrIpv6.includes('/0')) { + return NagRuleCompliance.COMPLIANT; } - return NagRuleCompliance.COMPLIANT; } + + const ipProtocol = NagRules.resolveIfPrimitive(node, node.ipProtocol); + const toPort = NagRules.resolveIfPrimitive(node, node.toPort); + + if (!toPort) { + return NagRuleCompliance.NON_COMPLIANT; + } + + if (!(toPort === 443 && ipProtocol === 'tcp')) { + return NagRuleCompliance.NON_COMPLIANT; + } + + return NagRuleCompliance.COMPLIANT; } return NagRuleCompliance.NOT_APPLICABLE; From acbf422265b8bf90a225eabc6c3c4e8df2f4dabe Mon Sep 17 00:00:00 2001 From: mrpackethead Date: Mon, 4 Sep 2023 22:12:05 +0000 Subject: [PATCH 05/85] intial changes from review --- src/packs/nzism-v36-1022-20.ts | 75 ---------- src/rules/ec2/EC2SecurityGroupOnlyTcp443.ts | 13 +- .../s3/S3BucketServerSideEncryptionEnabled.ts | 52 ------- src/rules/s3/index.ts | 1 - test/Packs.test.ts | 129 +++++++++--------- test/rules/S3.test.ts | 16 --- 6 files changed, 66 insertions(+), 220 deletions(-) delete mode 100644 src/rules/s3/S3BucketServerSideEncryptionEnabled.ts diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 4a13120b17..9c919d5867 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -77,7 +77,6 @@ import { S3BucketLoggingEnabled, S3BucketPublicReadProhibited, S3BucketPublicWriteProhibited, - S3BucketServerSideEncryptionEnabled, S3BucketSSLRequestsOnly, S3BucketVersioningEnabled, S3DefaultEncryptionKMS, @@ -142,7 +141,6 @@ export class NZISM36Checks extends NagPack { */ private checkAPIGW(node: CfnResource): void { this.applyRule({ - ruleSuffixOverride: 'API_GATEWAY_LOGGING', info: 'The API Gateway stage does not have execution logging enabled for all methods. | SHOULD 16.6.10.C.02[CID:2013], MUST 23.5.11.C.01[CID:7496] ', explanation: 'API Gateway logging displays detailed views of users who accessed the API and the way they accessed the API. This insight enables visibility of user activities.', @@ -159,7 +157,6 @@ export class NZISM36Checks extends NagPack { */ private checkCloudFront(node: CfnResource): void { this.applyRule({ - ruleSuffixOverride: 'CLOUDFRONT_DISTRIBUTION_LOGGING', info: 'The CloudFront distribution does not have access logging enabled. | SHOULD 16.6.10.C.02[CID:2013], MUST 23.5.11.C.01[CID:7496]', explanation: 'Enabling access logs helps operators track all viewer requests for the content delivered through the Content Delivery Network.', @@ -168,7 +165,6 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - ruleSuffixOverride: 'CLOUDFRONT_REQUIRES_WAF', info: 'The CloudFront distribution requires integration with WAF | MUST 19.1.12.C.01[CID:3562]', explanation: 'The Web Application Firewall can help protect against application-layer attacks that can compromise the security of the system or place unnecessary load on them.', @@ -178,7 +174,6 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - ruleSuffixOverride: 'CLOUDFRONT_OUTDATED_SSL', info: 'The CloudFront distribution allows for SSLv3 or TLSv1 for HTTPS viewer connections | MUST 16.1.37.C.01[CID:1847]', explanation: 'Vulnerabilities have been and continue to be discovered in the deprecated SSL and TLS protocols. Help protect viewer connections by specifying a viewer certificate that enforces a minimum of TLSv1.1 or TLSv1.2 in the security policy. Distributions that use the default CloudFront viewer certificate or use vip for the SslSupportMethod are non-compliant with this rule, as the minimum security policy is set to TLSv1 regardless of the specified MinimumProtocolVersion', @@ -188,7 +183,6 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - ruleSuffixOverride: 'CLOUDFRONT_REQUIRES_ROOT_OBJECT', info: 'The Cloudfront distribution requires a default object | SHOULD 14.5.6.C.01[CID:1661]', explanation: 'Specifying a default root object lets you avoid exposing the contents of your distribution', @@ -205,7 +199,6 @@ export class NZISM36Checks extends NagPack { */ private checkCloudTrail(node: CfnResource): void { this.applyRule({ - ruleSuffixOverride: 'CLOUDTRAIL_REQUIRES_CLOUDWATCH', info: 'The trail does not have CloudWatch logs enabled | SHOULD 16.6.6.C.02[CID:1998], MUST 16.4.35.C.02[CID:6860])', explanation: 'Use Amazon CloudWatch to centrally collect and manage log event activity. Inclusion of AWS CloudTrail data provides details of API call activity within your AWS account.', @@ -215,7 +208,6 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - ruleSuffixOverride: 'CLOUDTRAIL_REQUIRES_ENCRYPTION', info: 'The trail does not have encryption enabled | SHOULD 17.1.46.C.04[CID:2082]', explanation: 'Because sensitive data may exist and to help protect data at rest, ensure encryption is enabled for your AWS CloudTrail trails.', @@ -225,7 +217,6 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - ruleSuffixOverride: 'CLOUDTRAIL_LOGFILE_VALIDATION', info: 'The trail does not have log file validation - MUST 16.6.12.C.01[CID:2022], MUST 23.5.11.C.01[CID:7496]', explanation: 'Utilize AWS CloudTrail log file validation to check the integrity of CloudTrail logs. Log file validation helps determine if a log file was modified or deleted or unchanged after CloudTrail delivered it. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection.', @@ -243,7 +234,6 @@ export class NZISM36Checks extends NagPack { private checkCloudWatch(node: CfnResource): void { this.applyRule({ - ruleSuffixOverride: 'CLOUDWATCH_RETENTION_PERIOD', info: 'The CloudWatch Log Group does not have an explicit retention period configured - SHOULD 16.6.6.C.02[CID:1998], MUST 16.6.13.C.01[CID:2028]', explanation: 'Ensure a minimum duration of event log data is retained for your log groups to help with troubleshooting and forensics investigations. The lack of available past event log data makes it difficult to reconstruct and identify potentially malicious events.', @@ -253,7 +243,6 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - ruleSuffixOverride: 'CLOUDWATCH_ENCRYPT_WITH_KMS', info: 'The CloudWatch Log Group is not encrypted with an AWS KMS key | MUST 16.6.12.C.01[CID:2022], MUST 23.5.11.C.01[CID:7496]', explanation: 'To help protect sensitive data at rest, ensure encryption is enabled for your Amazon CloudWatch Log Groups.', @@ -270,7 +259,6 @@ export class NZISM36Checks extends NagPack { */ private checkDMS(node: CfnResource) { this.applyRule({ - ruleSuffixOverride: 'DMS_REPLICATION_NOT_PUBLIC', info: 'The DMS replication instance is public | MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466]', explanation: 'DMS replication instances can contain sensitive information and access control is required for such accounts.', @@ -287,7 +275,6 @@ export class NZISM36Checks extends NagPack { */ private checkDynamoDB(node: CfnResource) { this.applyRule({ - ruleSuffixOverride: 'DYNAMODB_AUTOSCALING', info: 'The provisioned capacity DynamoDB table does not have Auto Scaling enabled on its indexes | MUST 22.1.23.C.01[CID:4829]', explanation: 'Amazon DynamoDB auto scaling uses the AWS Application Auto Scaling service to adjust provisioned throughput capacity that automatically responds to actual traffic patterns. This enables a table or a global secondary index to increase its provisioned read/write capacity to handle sudden increases in traffic, without throttling.', @@ -296,7 +283,6 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - ruleSuffixOverride: 'DYNAMODB_REQUIRES_BACKUP', info: 'The DynamoDB table is not in an AWS Backup plan - MUST 22.1.26.C.01[CID:4849]', explanation: 'To help with data back-up processes, ensure your Amazon DynamoDB tables are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements.', @@ -305,7 +291,6 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - ruleSuffixOverride: 'DYNAMODB_MUST_HAVE_POINTINTIME_RECOVERY', info: 'The DynamoDB table does not have Point-in-time Recovery enabled | MUST 22.1.26.C.01[CID:4849]', explanation: 'The recovery maintains continuous backups of your table for the last 35 days.', @@ -322,7 +307,6 @@ export class NZISM36Checks extends NagPack { */ private checkEC2(node: CfnResource): void { this.applyRule({ - ruleSuffixOverride: 'EBS_NOT_IN_BACKUP', info: 'The EBS volume is not in an AWS Backup plan | MUST 22.1.26.C.01[CID:4849]', explanation: 'To help with data back-up processes, ensure your Amazon Elastic Block Store (Amazon EBS) volumes are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements.', @@ -332,7 +316,6 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - ruleSuffixOverride: 'EC2_MUST_NOT_HAVE_PUBLIC_IP', info: 'The EC2 instance is associated with a public IP address | MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466]', explanation: 'Manage access to the AWS Cloud by ensuring Amazon Elastic Compute Cloud (Amazon EC2) instances cannot be publicly accessed. Amazon EC2 instances can contain sensitive information and access control is required for such accounts.', @@ -342,7 +325,6 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - ruleSuffixOverride: 'EC2_MUST_BE_IN_VPC', info: 'The EC2 instance is not within a VPC - MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466]', explanation: 'Deploy Amazon Elastic Compute Cloud (Amazon EC2) instances within an Amazon Virtual Private Cloud (Amazon VPC) to enable secure communication between an instance and other services within the amazon VPC, without requiring an internet gateway, NAT device, or VPN connection. All traffic remains securely within the AWS Cloud. Because of their logical isolation, domains that reside within anAmazon VPC have an extra layer of security when compared to domains that use public endpoints. Assign Amazon EC2 instances to an Amazon VPC to properly manage access.', @@ -352,7 +334,6 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - ruleSuffixOverride: 'EBS_VOLUME_ENCRYPTED', info: 'The EBS volume has encryption disabled- SHOULD 17.1.46.C.04[CID:2082], SHOULD 22.1.24.C.04[CID:4839]', explanation: 'With EBS encryption, you aren not required to build, maintain, and secure your own key management infrastructure. EBS encryption uses KMS keys when creating encrypted volumes and snapshots. This helps protect data at rest.', @@ -362,7 +343,6 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - ruleSuffixOverride: 'UNRESTRICTED_SSH', info: 'The Security Group allows unrestricted SSH access - SHOULD 17.5.8.C.02[CID:2726]', explanation: 'Not allowing ingress (or remote) traffic from 0.0.0.0/0 or ::/0 to port 22 on your resources helps to restrict remote access.', @@ -372,7 +352,6 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - ruleSuffixOverride: 'SECURITYGROUP_ONLY_TCP443', info: 'The Security Group allows access other than tcp 443 - SHOULD 18.1.13.C.02[CID:3205]', explanation: 'Not allowing ingress (or remote) traffic to ports other than tcp port 443 helps improve security', @@ -383,7 +362,6 @@ export class NZISM36Checks extends NagPack { // this can be modified to use EC2IMDVs2 enabled. this.applyRule({ - ruleSuffixOverride: 'EC2IMDVS2_ENABLED', info: 'THe Ec2 Instance does not use IMDSv2 | MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466]', explanation: 'IMDSv2 adds additional protection by using session authentication to the Instance Meta Data Service', @@ -400,7 +378,6 @@ export class NZISM36Checks extends NagPack { */ private checkECS(node: CfnResource): void { this.applyRule({ - ruleSuffixOverride: 'ECS_TASK_DEFINITION_PRIVLIDGED', info: 'The ECS task definition is configured for host networking and has at least one container with definitions with privileged set to false or empty or user set to root or empty | SHOULD 14.1.8.C.01[CID:1149]', explanation: 'If a task definition has elevated privileges it is because you have specifically opted-in to those configurations. This rule checks for unexpected privilege escalation when a task definition has host networking enabled but the customer has not opted-in to elevated privileges.', @@ -417,7 +394,6 @@ export class NZISM36Checks extends NagPack { */ private checkEFS(node: CfnResource) { this.applyRule({ - ruleSuffixOverride: 'EFS_BACKUP_PLAN_REQUIRED', info: 'The EFS is not in an AWS Backup plan - MUST 22.1.26.C.01[CID:4849]', explanation: 'To help with data back-up processes, ensure your Amazon Elastic File System (Amazon EFS) file systems are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements.', @@ -426,7 +402,6 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - ruleSuffixOverride: 'EFS_ENCRYPTION_REQUIRED', info: 'The EFS does not have encryption at rest enabled = SHOULD 17.1.46.C.04[CID:2082], SHOULD 22.1.24.C.04[CID:4839]', explanation: 'Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elastic File System (EFS).', @@ -443,7 +418,6 @@ export class NZISM36Checks extends NagPack { */ private checkElastiCache(node: CfnResource) { this.applyRule({ - ruleSuffixOverride: 'REDIS_BACKUP', info: 'The ElastiCache Redis cluster does not retain automatic backups for at least 15 day - MUST 22.1.26.C.01[CID:4849]', explanation: 'Automatic backups can help guard against data loss. If a failure occurs, you can create a new cluster, which restores your data from the most recent backup.', @@ -460,7 +434,6 @@ export class NZISM36Checks extends NagPack { */ private checkElasticBeanstalk(node: CfnResource): void { this.applyRule({ - ruleSuffixOverride: 'ELASTIC_BEANSTALK_UPDATES', info: 'The Elastic Beanstalk environment does not have enhanced health reporting enabled | SHOULD 12.4.4.C.05[CID:3452]', explanation: 'Enabling managed platform updates for an Amazon Elastic Beanstalk environment ensures that the latest available platform fixes, updates, and features for the environment are installed. Keeping up to date with patch installation is a best practice in securing systems.', @@ -478,7 +451,6 @@ export class NZISM36Checks extends NagPack { private checkELB(node: CfnResource): void { this.applyRule({ - ruleSuffixOverride: 'ALB_HTTP_TO_HTTPS_REDIRECTION', info: 'The ALBs HTTP listeners are not configured to redirect to HTTPS | MUST 16.1.37.C.01[CID:1847], MUST 17.1.48.C.03[CID:2091]', explanation: 'To help protect data in transit, ensure that your Application Load Balancer automatically redirects unencrypted HTTP requests to HTTPS. Because sensitive data can exist, enable encryption in transit to help protect that data.', @@ -488,7 +460,6 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - ruleSuffixOverride: 'ALB_REQUIRES_WAF', info: 'The ALB is not associated with AWS WAFv2 web ACL | MUST 19.1.12.C.01[CID:3562], SHOULD 20.3.7.C.02[CID:4333], MUST 23.4.10.C.01[CID:7466]', explanation: 'A WAF helps to protect your web applications or APIs against common web exploits. These web exploits may affect availability, compromise security, or consume excessive resources within your environment.', @@ -498,7 +469,6 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - ruleSuffixOverride: 'ELB_CROSS_ZONE_LOADBALANCING', info: 'MUST 22.1.23.C.01[CID:4829]| Enterprise systems security/Cloud Computing/System Availability', explanation: "Enable cross-zone load balancing for your Classic Load Balancers (CLBs) to help maintain adequate capacity and availability. The cross-zone load balancing reduces the need to maintain equivalent numbers of instances in each enabled availability zone. It also improves your application's ability to handle the loss of one or more instances.", @@ -508,7 +478,6 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - ruleSuffixOverride: 'ELB_LOGGING_ENABLED', info: 'The ELB does not have logging enabled | SHOULD 16.6.10.C.02[CID:2013], MUST 23.5.11.C.01[CID:7496]', explanation: "Elastic Load Balancing activity is a central point of communication within an environment. Ensure ELB logging is enabled. The collected data provides detailed information about requests sent to The ELB. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses.", @@ -517,7 +486,6 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - ruleSuffixOverride: 'ELB_HTTPS_LISTENER_ONLY', info: 'The ELB does not restrict its listeners to only the SSL and HTTPS protocol | SHOULD 14.5.8.C.01[CID:1667], MUST 16.1.37.C.01[CID:1847], MUST 17.1.48.C.03[CID:2091], SHOULD 22.1.24.C.04[CID:4839]', explanation: 'Ensure that your Classic Load Balancers (CLBs) are configured with SSL or HTTPS listeners. Because sensitive data can exist, enable encryption in transit to help protect that data.', @@ -534,7 +502,6 @@ export class NZISM36Checks extends NagPack { */ private checkIAM(node: CfnResource): void { this.applyRule({ - ruleSuffixOverride: 'IAM_NO_ADMIN_ACCESS', info: 'The IAM policy grants admin access, meaning the policy allows a principal to perform all actions on all resources | SHOULD 16.3.5.C.02[CID:1946]', explanation: 'AWS Identity and Access Management (IAM) can help you incorporate the principles of least privilege and separation of duties with access permissions and authorizations, by ensuring that IAM groups have at least one IAM user. Placing IAM users in groups based on their associated permissions or job function is one way to incorporate least privilege.', @@ -551,7 +518,6 @@ export class NZISM36Checks extends NagPack { */ private checkKMS(node: CfnResource): void { this.applyRule({ - ruleSuffixOverride: 'KMS_KEY_ROTATION', info: 'The KMS Symmetric key does not have automatic key rotation enabled | SHOULD 17.9.25.C.01[CID:3021]', explanation: 'Enable key rotation to ensure that keys are rotated once they have reached the end of their crypto period.', @@ -568,7 +534,6 @@ export class NZISM36Checks extends NagPack { private checkLambda(node: CfnResource) { this.applyRule({ - ruleSuffixOverride: 'LAMBDA_NO_PUBLIC_ACCESS', info: 'The Lambda function permission grants public access - MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466]', explanation: 'Public access allows anyone on the internet to perform unauthenticated actions on your function and can potentially lead to degraded availability.', @@ -585,7 +550,6 @@ export class NZISM36Checks extends NagPack { */ private checkOpenSearch(node: CfnResource) { this.applyRule({ - ruleSuffixOverride: 'OPENSEARCH_ENCRYPTION_AT_REST', info: 'The OpenSearch Service domain does not have encryption at rest enabled | SHOULD 17.1.46.C.04[CID:2082], SHOULD 20.4.4.C.02[CID:4441], SHOULD 22.1.24.C.04[CID:4839]', explanation: 'Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon OpenSearch Service (OpenSearch Service) domains.', @@ -595,7 +559,6 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - ruleSuffixOverride: 'OPENSEARCH_MUST_BE_ON_VPC', info: 'The OpenSearch Service domain is not running within a VPC | MUST 19.1.12.C.01[CID:3562], SHOULD 19.1.14.C.02[CID:3623]', explanation: 'VPCs help secure your AWS resources and provide an extra layer of protection.', @@ -605,7 +568,6 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - ruleSuffixOverride: 'OPENSEARCH_NODE_TO_NODE_ENCRYPTION', info: 'The OpenSearch Service domain does not have node-to-node encryption enabled | MUST 16.1.37.C.01[CID:1847], SHOULD 22.1.24.C.04[CID:4839]', explanation: 'Because sensitive data can exist, enable encryption in transit to help protect that data within your Amazon OpenSearch Service (OpenSearch Service) domains.', @@ -622,7 +584,6 @@ export class NZISM36Checks extends NagPack { */ private checkRDS(node: CfnResource): void { this.applyRule({ - ruleSuffixOverride: 'RDS_DELETION_PROTECTION', info: 'The RDS DB Instance or Aurora Cluster does not have deletion protection enabled | MUST 22.1.26.C.01[CID:4849]', explanation: 'Ensure Amazon Relational Database Service (Amazon RDS) instances and clusters have deletion protection enabled. Use deletion protection to prevent your Amazon RDS DB instances and clusters from being accidentally or maliciously deleted, which can lead to loss of availability for your applications.', @@ -632,7 +593,6 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - ruleSuffixOverride: 'RDS_MULTIAZ', info: 'The RDS DB Instance does not have multi-AZ support | MUST 22.1.23.C.01[CID:4829]', explanation: 'Ensure Amazon Relational Database Service (Amazon RDS) instances and clusters have deletion protection enabled. Use deletion protection to prevent your Amazon RDS DB instances and clusters from being accidentally or maliciously deleted, which can lead to loss of availability for your applications.', @@ -642,7 +602,6 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - ruleSuffixOverride: 'RDS_BACKUP', info: 'The RDS DB instance is not in an AWS Backup plan | MUST 22.1.26.C.01[CID:4849]', explanation: 'To help with data back-up processes, ensure your Amazon Relational Database Service (Amazon RDS) instances are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements.', @@ -652,7 +611,6 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - ruleSuffixOverride: 'RDS_PUBLIC_ACCESS', info: 'The RDS DB Instance allows public access | MUST 19.1.12.C.01[CID:3562], SHOULD 19.1.14.C.02[CID:3623], MUST 23.4.10.C.01[CID:7466]', explanation: 'Amazon RDS database instances can contain sensitive information, and principles and access control is required for such accounts.', @@ -662,7 +620,6 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - ruleSuffixOverride: 'RDS_LOGGING', info: 'The non-Aurora RDS DB instance or Aurora cluster does not have all CloudWatch log types exported | SHOULD 16.6.10.C.02[CID:2013], SHOULD 20.4.4.C.02[CID:4441], SHOULD 20.4.5.C.02[CID:4445], MUST 23.5.11.C.01[CID:7496]', explanation: 'To help with logging and monitoring within your environment, ensure Amazon Relational Database Service (Amazon RDS) logging is enabled. With Amazon RDS logging, you can capture events such as connections, disconnections, queries, or tables queried.' + @@ -673,7 +630,6 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - ruleSuffixOverride: 'RDS_STORAGE', info: 'The RDS DB Instance or Aurora Cluster does not have storage encrypted | SHOULD 17.1.46.C.04[CID:2082], SHOULD 20.4.4.C.02[CID:4441], SHOULD 22.1.24.C.04[CID:4839]', explanation: 'Because sensitive data can exist at rest in Amazon RDS instances, enable encryption at rest to help protect that data.', @@ -683,7 +639,6 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - ruleSuffixOverride: 'RDS_MINOR_PATCHING', info: 'RDS DB Instance is not configured for minor patches | SHOULD 12.4.4.C.05[CID:3452]', explanation: 'Provides automatic Patching in the Database', level: NagMessageLevel.WARN, @@ -699,7 +654,6 @@ export class NZISM36Checks extends NagPack { */ private checkRedshift(node: CfnResource): void { this.applyRule({ - ruleSuffixOverride: 'REDSHIFT_BACKUP', info: 'The Redshift cluster does not have automated snapshots enabled or the retention period is not between 1 and 35 days | MUST 22.1.26.C.01[CID:4849]', explanation: 'To help with data back-up processes, ensure your Amazon Redshift clusters have automated snapshots. When automated snapshots are enabled for a cluster, Redshift periodically takes snapshots of that cluster. By default, Redshift takes a snapshot every eight hours or every 5 GB per node of data changes, or whichever comes first.', @@ -709,7 +663,6 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - ruleSuffixOverride: 'REDSHIFT_LOGGING', info: 'The Redshift cluster does not have encryption or audit logging enabled | SHOULD 20.4.4.C.02[CID:4441], SHOULD 20.4.5.C.02[CID:4445], SHOULD 22.1.24.C.04[CID:4839]', explanation: 'To protect data at rest, ensure that encryption is enabled for your Amazon Redshift clusters. You must also ensure that required configurations are deployed on Amazon Redshift clusters. The audit logging should be enabled to provide information about connections and user activities in the database.', @@ -719,7 +672,6 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - ruleSuffixOverride: 'REDSHIFT_MAINTAINANCE', info: 'The Redshift cluster does not have version upgrades enabled, automated snapshot retention periods enabled, and an explicit maintenance window configure MUST 12.4.4.C.02[CID:3449], SHOULD 12.4.4.C.06[CID:3453]', explanation: 'Ensure that Amazon Redshift clusters have the preferred settings for your organization. Specifically, that they have preferred maintenance windows and automated snapshot retention periods for the database. ', @@ -729,7 +681,6 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - ruleSuffixOverride: 'REDSHIFT_NOT_PUBLIC', info: 'Redshift must not be made publically avaialble | MUST 19.1.12.C.01[CID:3562], SHOULD 19.1.14.C.02[CID:3623], MUST 23.4.10.C.01[CID:7466]', explanation: 'Amazon Redshift clusters can contain sensitive information and principles and access control is required for such accounts.', @@ -739,7 +690,6 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - ruleSuffixOverride: 'REDSHIFT_ENCRYPTION', info: 'The Redshift cluster must use TLS/SSL encryption. MUST 17.1.48.C.03[CID:2091], SHOULD 22.1.24.C.04[CID:4839]', explanation: 'Ensure that your Amazon Redshift clusters require TLS/SSL encryption to connect to SQL clients. Because sensitive data can exist, enable encryption in transit to help protect that data.', @@ -756,7 +706,6 @@ export class NZISM36Checks extends NagPack { */ private checkS3(node: CfnResource): void { this.applyRule({ - ruleSuffixOverride: 'S3_PUBLIC_ACCESS', info: 'The S3 bucket does not prohibit public access through bucket level settings SHOULD 22.1.24.C.03[CID:4838]', explanation: 'Keep sensitive data safe from unauthorized remote users by preventing public access at the bucket level.', @@ -764,18 +713,7 @@ export class NZISM36Checks extends NagPack { rule: S3BucketLevelPublicAccessProhibited, node: node, }); - // THIS IS NEW RULE. this.applyRule({ - ruleSuffixOverride: 'S3_SERVERSIDE_ENCRYPTION', - info: 'The S3 Bucket does not have default server-side encryption enabled | SHOULD 17.1.46.C.04[CID:2082]', - explanation: - 'Because sensitive data can exist at rest in Amazon S3 buckets, enable encryption to help protect that data.', - level: NagMessageLevel.WARN, - rule: S3BucketServerSideEncryptionEnabled, - node: node, - }); - this.applyRule({ - ruleSuffixOverride: 'S3_POLICY_SSL', info: 'The S3 Bucket or bucket policy does not require requests to use SSL | SHOULD 22.1.24.C.04[CID:4839]|', explanation: 'To help protect data in transit, ensure that your Amazon Simple Storage Service (Amazon S3) buckets require requests to use Secure Socket Layer (SSL). Because sensitive data can exist, enable encryption in transit to help protect that data.', @@ -784,7 +722,6 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - ruleSuffixOverride: 'S3_SEVER_ACCESS_LOGS', info: 'The S3 Buckets does not have server access logs enabled | MUST 22.1.26.C.01[CID:4849]', explanation: 'Amazon Simple Storage Service (Amazon S3) server access logging provides a method to monitor the network for potential cybersecurity events. The events are monitored by capturing detailed records for the requests that are made to an Amazon S3 bucket. Each access log record provides details about a single access request. The details include the requester, bucket name, request time, request action, response status, and an error code, if relevant.', @@ -794,7 +731,6 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - ruleSuffixOverride: 'S3_PUBLIC_READ', info: 'The S3 Bucket does not prohibit public read access through its Block Public Access configurations and bucket ACLs | SHOULD 22.1.24.C.03[CID:4838]', explanation: 'The management of access should be consistent with the classification of the data.', @@ -803,7 +739,6 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - ruleSuffixOverride: 'S3_PUBLIC_WRITE', info: 'The S3 Bucket does not prohibit public write access through its Block Public Access configurations and bucket ACLs | SHOULD 22.1.24.C.03[CID:4838]', explanation: 'The management of access should be consistent with the classification of the data.', @@ -812,7 +747,6 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - ruleSuffixOverride: 'S3_VERSIONING', info: 'The S3 Bucket does not have versioning enabled | MUST 22.1.26.C.01[CID:4849]', explanation: 'Use versioning to preserve, retrieve, and restore every version of every object stored in your Amazon S3 bucket. Versioning helps you to easily recover from unintended user actions and application failures.', @@ -821,7 +755,6 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - ruleSuffixOverride: 'S3_KMS_ENCRYPTION', info: 'The S3 Bucket is not encrypted with a KMS Key by default | SHOULD 17.1.46.C.04[CID:2082]| Cryptography/Cryptographic Fundamentals/Reducing storage and physical transfer requirements', explanation: 'Ensure that encryption is enabled for your Amazon Simple Storage Service (Amazon S3) buckets. Because sensitive data can exist at rest in an Amazon S3 bucket, enable encryption at rest to help protect that data.', @@ -838,7 +771,6 @@ export class NZISM36Checks extends NagPack { */ private checkSageMaker(node: CfnResource) { this.applyRule({ - ruleSuffixOverride: 'SAGEMAKER_ENDPOINT_KMS', info: 'The SageMaker resource endpoint is not encrypted with a KMS key | SHOULD 22.1.24.C.04[CID:4839]', explanation: 'Because sensitive data can exist at rest in SageMaker endpoint, enable encryption at rest to help protect that data.', @@ -847,7 +779,6 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - ruleSuffixOverride: 'SAGEMAKER_NOTEBOOK_KMS', info: 'The SageMaker notebook is not encrypted with a KMS key | SHOULD 22.1.24.C.04[CID:4839]', explanation: 'Because sensitive data can exist at rest in SageMaker notebook, enable encryption at rest to help protect that data.', @@ -856,7 +787,6 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - ruleSuffixOverride: 'SAGEMAKER_NOTEBOOK_NO_INTERNET_ACCESS', info: 'The SageMaker notebook does not disable direct internet access | MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466]', explanation: 'By preventing direct internet access, you can keep sensitive data from being accessed by unauthorized users.', @@ -873,7 +803,6 @@ export class NZISM36Checks extends NagPack { */ private checkSecretsManager(node: CfnResource): void { this.applyRule({ - ruleSuffixOverride: 'SECRET_KMS', info: 'The secret is not encrypted with a KMS Customer managed key | SHOULD 22.1.24.C.04[CID:4839]', explanation: 'To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for AWS Secrets Manager secrets. Because sensitive data can exist at rest in Secrets Manager secrets, enable encryption at rest to help protect that data.', @@ -890,7 +819,6 @@ export class NZISM36Checks extends NagPack { */ private checkSNS(node: CfnResource): void { this.applyRule({ - ruleSuffixOverride: 'SNS_KMS', info: 'The SNS topic does not have KMS encryption enabled | SHOULD 22.1.24.C.04[CID:4839]', explanation: 'To help protect data at rest, ensure that your Amazon Simple Notification Service (Amazon SNS) topics require encryption using AWS Key Management Service (AWS KMS) Because sensitive data can exist at rest in published messages, enable encryption at rest to help protect that data.', @@ -907,7 +835,6 @@ export class NZISM36Checks extends NagPack { */ private checkVPC(node: CfnResource): void { this.applyRule({ - ruleSuffixOverride: 'VPC_DEFAULT_SECURITY_GROUP_CLOSED', info: 'The VPCs default security group allows inbound or outbound traffic MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466]', explanation: 'Amazon Elastic Compute Cloud (Amazon EC2) security groups can help in the management of network access by providing stateful filtering of ingress and egress network traffic to AWS resources. Restricting all the traffic on the default security group helps in restricting remote access to your AWS resources.', @@ -916,7 +843,6 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - ruleSuffixOverride: 'VPC_FLOW_LOG', info: 'The VPC does not have an associated Flow Log | MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466]', explanation: 'The VPC flow logs provide detailed records for information about the IP traffic going to and from network interfaces in your Amazon Virtual Private Cloud (Amazon VPC). By default, the flow log record includes values for the different components of the IP flow, including the source, destination, and protocol.', @@ -933,7 +859,6 @@ export class NZISM36Checks extends NagPack { */ private checkWAF(node: CfnResource): void { this.applyRule({ - ruleSuffixOverride: 'WAF_LOGGING', info: 'The WAFv2 web ACL does not have logging enabled | SHOULD 16.6.10.C.02[CID:2013], MUST 23.5.11.C.01[CID:7496]', explanation: 'AWS WAF logging provides detailed information about the traffic that is analyzed by your web ACL. The logs record the time that AWS WAF received the request from your AWS resource, information about the request, and an action for the rule that each request matched.', diff --git a/src/rules/ec2/EC2SecurityGroupOnlyTcp443.ts b/src/rules/ec2/EC2SecurityGroupOnlyTcp443.ts index 83d3a94169..f5c86be48d 100644 --- a/src/rules/ec2/EC2SecurityGroupOnlyTcp443.ts +++ b/src/rules/ec2/EC2SecurityGroupOnlyTcp443.ts @@ -8,7 +8,7 @@ import { CfnSecurityGroupIngress, CfnSecurityGroup } from 'aws-cdk-lib/aws-ec2'; import { NagRuleCompliance, NagRules } from '../../nag-rules'; /** - * Security Groups should only allow inbound access to tcp443 + * Security Groups only allow inbound access to traffic using TCP on port 443 * @param node the CfnResource to check */ export default Object.defineProperty( @@ -16,8 +16,7 @@ export default Object.defineProperty( if (node instanceof CfnSecurityGroup) { const ingressRules = Stack.of(node).resolve(node.securityGroupIngress); - if (ingressRules != undefined) { - //For each ingress rule, check that only TCP 443 is allowed from 0/0 + if (ingressRules) { for (const rule of ingressRules) { const resolvedcidrIp = NagRules.resolveIfPrimitive( node, @@ -28,16 +27,12 @@ export default Object.defineProperty( Stack.of(node).resolve(rule).cidrIpv6 ); - // if ipv4 if (resolvedcidrIp) { - // if the rule is not open to the world, it is compliant if (!resolvedcidrIp.includes('/0')) { return NagRuleCompliance.COMPLIANT; } } - // if ipv6 if (resolvedcidrIpv6) { - // if the rule is not open to the world, it is compliant if (!resolvedcidrIpv6.includes('/0')) { return NagRuleCompliance.COMPLIANT; } @@ -67,16 +62,12 @@ export default Object.defineProperty( const resolvedcidrIp = NagRules.resolveIfPrimitive(node, node.cidrIp); const resolvedcidrIpv6 = NagRules.resolveIfPrimitive(node, node.cidrIpv6); - // if ipv4 if (resolvedcidrIp) { - // if the rule is not open to the world, it is compliant if (!resolvedcidrIp.includes('/0')) { return NagRuleCompliance.COMPLIANT; } } - // if ipv6 if (resolvedcidrIpv6) { - // if the rule is not open to the world, it is compliant if (!resolvedcidrIpv6.includes('/0')) { return NagRuleCompliance.COMPLIANT; } diff --git a/src/rules/s3/S3BucketServerSideEncryptionEnabled.ts b/src/rules/s3/S3BucketServerSideEncryptionEnabled.ts deleted file mode 100644 index 4a4b83d239..0000000000 --- a/src/rules/s3/S3BucketServerSideEncryptionEnabled.ts +++ /dev/null @@ -1,52 +0,0 @@ -/* -Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -SPDX-License-Identifier: Apache-2.0 -*/ -import { parse } from 'path'; -import { CfnResource, Stack } from 'aws-cdk-lib'; -import { CfnBucket } from 'aws-cdk-lib/aws-s3'; -import { NagRuleCompliance, NagRules } from '../../nag-rules'; - -/** - * S3 Buckets have default server-side encryption enabled - * @param node the CfnResource to check - */ -export default Object.defineProperty( - (node: CfnResource): NagRuleCompliance => { - if (node instanceof CfnBucket) { - if (node.bucketEncryption == undefined) { - return NagRuleCompliance.NON_COMPLIANT; - } - const encryption = Stack.of(node).resolve(node.bucketEncryption); - if (encryption.serverSideEncryptionConfiguration == undefined) { - return NagRuleCompliance.NON_COMPLIANT; - } - const sse = Stack.of(node).resolve( - encryption.serverSideEncryptionConfiguration - ); - for (const rule of sse) { - const defaultEncryption = Stack.of(node).resolve( - rule.serverSideEncryptionByDefault - ); - if (defaultEncryption == undefined) { - return NagRuleCompliance.NON_COMPLIANT; - } - const sseAlgorithm = NagRules.resolveIfPrimitive( - node, - defaultEncryption.sseAlgorithm - ); - if ( - sseAlgorithm.toLowerCase() != 'aes256' && - sseAlgorithm.toLowerCase() != 'aws:kms' - ) { - return NagRuleCompliance.NON_COMPLIANT; - } - } - return NagRuleCompliance.COMPLIANT; - } else { - return NagRuleCompliance.NOT_APPLICABLE; - } - }, - 'name', - { value: parse(__filename).name } -); diff --git a/src/rules/s3/index.ts b/src/rules/s3/index.ts index 6aa8c155e0..58684cad35 100644 --- a/src/rules/s3/index.ts +++ b/src/rules/s3/index.ts @@ -12,4 +12,3 @@ export { default as S3BucketSSLRequestsOnly } from './S3BucketSSLRequestsOnly'; export { default as S3BucketVersioningEnabled } from './S3BucketVersioningEnabled'; export { default as S3DefaultEncryptionKMS } from './S3DefaultEncryptionKMS'; export { default as S3WebBucketOAIAccess } from './S3WebBucketOAIAccess'; -export { default as S3BucketServerSideEncryptionEnabled } from './S3BucketServerSideEncryptionEnabled'; diff --git a/test/Packs.test.ts b/test/Packs.test.ts index 5fd2d174bf..3ec9d4a08a 100644 --- a/test/Packs.test.ts +++ b/test/Packs.test.ts @@ -648,74 +648,73 @@ describe('Check NagPack Details', () => { }); test('Pack contains expected warning and error rules', () => { const expectedWarnings = [ - 'NZISM3.6-CLOUDFRONT_REQUIRES_ROOT_OBJECT', - 'NZISM3.6-CLOUDTRAIL_REQUIRES_ENCRYPTION', - 'NZISM3.6-EBS_VOLUME_ENCRYPTED', - 'NZISM3.6-ECS_TASK_DEFINITION_PRIVLIDGED', - 'NZISM3.6-EFS_ENCRYPTION_REQUIRED', - 'NZISM3.6-ELASTIC_BEANSTALK_UPDATES', - 'NZISM3.6-IAM_NO_ADMIN_ACCESS', - 'NZISM3.6-KMS_KEY_ROTATION', - 'NZISM3.6-OPENSEARCH_ENCRYPTION_AT_REST', - 'NZISM3.6-RDS_MINOR_PATCHING', - 'NZISM3.6-RDS_STORAGE', - 'NZISM3.6-S3_KMS_ENCRYPTION', - 'NZISM3.6-S3_POLICY_SSL', - 'NZISM3.6-S3_PUBLIC_ACCESS', - 'NZISM3.6-S3_PUBLIC_READ', - 'NZISM3.6-S3_PUBLIC_WRITE', - 'NZISM3.6-S3_SERVERSIDE_ENCRYPTION', - 'NZISM3.6-SAGEMAKER_ENDPOINT_KMS', - 'NZISM3.6-SAGEMAKER_NOTEBOOK_KMS', - 'NZISM3.6-SECRET_KMS', - 'NZISM3.6-SECURITYGROUP_ONLY_TCP443', - 'NZISM3.6-SNS_KMS', + 'NZISM3.6-CloudFrontDefaultRootObjectConfigured', + 'NZISM3.6-CloudTrailEncryptionEnabled', + 'NZISM3.6-EC2EBSVolumeEncrypted', + 'NZISM3.6-EC2SecurityGroupOnlyTcp443', + 'NZISM3.6-ECSTaskDefinitionUserForHostMode', + 'NZISM3.6-EFSEncrypted', + 'NZISM3.6-ElasticBeanstalkManagedUpdatesEnabled', + 'NZISM3.6-IAMPolicyNoStatementsWithAdminAccess', + 'NZISM3.6-KMSBackingKeyRotationEnabled', + 'NZISM3.6-OpenSearchEncryptedAtRest', + 'NZISM3.6-RDSAutomaticMinorVersionUpgradeEnabled', + 'NZISM3.6-RDSStorageEncrypted', + 'NZISM3.6-S3BucketLevelPublicAccessProhibited', + 'NZISM3.6-S3BucketPublicReadProhibited', + 'NZISM3.6-S3BucketPublicWriteProhibited', + 'NZISM3.6-S3BucketSSLRequestsOnly', + 'NZISM3.6-S3DefaultEncryptionKMS', + 'NZISM3.6-SNSEncryptedKMS', + 'NZISM3.6-SageMakerEndpointConfigurationKMSKeyConfigured', + 'NZISM3.6-SageMakerNotebookInstanceKMSKeyConfigured', + 'NZISM3.6-SecretsManagerUsingKMSKey', ]; const expectedErrors = [ - 'NZISM3.6-ALB_HTTP_TO_HTTPS_REDIRECTION', - 'NZISM3.6-ALB_REQUIRES_WAF', - 'NZISM3.6-API_GATEWAY_LOGGING', - 'NZISM3.6-CLOUDFRONT_DISTRIBUTION_LOGGING', - 'NZISM3.6-CLOUDFRONT_OUTDATED_SSL', - 'NZISM3.6-CLOUDFRONT_REQUIRES_WAF', - 'NZISM3.6-CLOUDTRAIL_LOGFILE_VALIDATION', - 'NZISM3.6-CLOUDTRAIL_REQUIRES_CLOUDWATCH', - 'NZISM3.6-CLOUDWATCH_ENCRYPT_WITH_KMS', - 'NZISM3.6-CLOUDWATCH_RETENTION_PERIOD', - 'NZISM3.6-DMS_REPLICATION_NOT_PUBLIC', - 'NZISM3.6-DYNAMODB_AUTOSCALING', - 'NZISM3.6-DYNAMODB_MUST_HAVE_POINTINTIME_RECOVERY', - 'NZISM3.6-DYNAMODB_REQUIRES_BACKUP', - 'NZISM3.6-EBS_NOT_IN_BACKUP', - 'NZISM3.6-EC2IMDVS2_ENABLED', - 'NZISM3.6-EC2_MUST_BE_IN_VPC', - 'NZISM3.6-EC2_MUST_NOT_HAVE_PUBLIC_IP', - 'NZISM3.6-EFS_BACKUP_PLAN_REQUIRED', - 'NZISM3.6-ELB_CROSS_ZONE_LOADBALANCING', - 'NZISM3.6-ELB_HTTPS_LISTENER_ONLY', - 'NZISM3.6-ELB_LOGGING_ENABLED', - 'NZISM3.6-LAMBDA_NO_PUBLIC_ACCESS', - 'NZISM3.6-OPENSEARCH_MUST_BE_ON_VPC', - 'NZISM3.6-OPENSEARCH_NODE_TO_NODE_ENCRYPTION', - 'NZISM3.6-RDS_BACKUP', - 'NZISM3.6-RDS_DELETION_PROTECTION', - 'NZISM3.6-RDS_LOGGING', - 'NZISM3.6-RDS_MULTIAZ', - 'NZISM3.6-RDS_PUBLIC_ACCESS', - 'NZISM3.6-REDIS_BACKUP', - 'NZISM3.6-REDSHIFT_BACKUP', - 'NZISM3.6-REDSHIFT_ENCRYPTION', - 'NZISM3.6-REDSHIFT_LOGGING', - 'NZISM3.6-REDSHIFT_MAINTAINANCE', - 'NZISM3.6-REDSHIFT_NOT_PUBLIC', - 'NZISM3.6-S3_SEVER_ACCESS_LOGS', - 'NZISM3.6-S3_VERSIONING', - 'NZISM3.6-SAGEMAKER_NOTEBOOK_NO_INTERNET_ACCESS', - 'NZISM3.6-UNRESTRICTED_SSH', - 'NZISM3.6-VPC_DEFAULT_SECURITY_GROUP_CLOSED', - 'NZISM3.6-VPC_FLOW_LOG', - 'NZISM3.6-WAF_LOGGING', + 'NZISM3.6-ALBHttpToHttpsRedirection', + 'NZISM3.6-ALBWAFEnabled', + 'NZISM3.6-APIGWExecutionLoggingEnabled', + 'NZISM3.6-CloudFrontDistributionAccessLogging', + 'NZISM3.6-CloudFrontDistributionHttpsViewerNoOutdatedSSL', + 'NZISM3.6-CloudFrontDistributionWAFIntegration', + 'NZISM3.6-CloudTrailCloudWatchLogsEnabled', + 'NZISM3.6-CloudTrailLogFileValidationEnabled', + 'NZISM3.6-CloudWatchLogGroupEncrypted', + 'NZISM3.6-CloudWatchLogGroupRetentionPeriod', + 'NZISM3.6-DMSReplicationNotPublic', + 'NZISM3.6-DynamoDBAutoScalingEnabled', + 'NZISM3.6-DynamoDBInBackupPlan', + 'NZISM3.6-DynamoDBPITREnabled', + 'NZISM3.6-EC2EBSInBackupPlan', + 'NZISM3.6-EC2IMDSv2Enabled', + 'NZISM3.6-EC2InstanceNoPublicIp', + 'NZISM3.6-EC2InstancesInVPC', + 'NZISM3.6-EC2RestrictedSSH', + 'NZISM3.6-EFSInBackupPlan', + 'NZISM3.6-ELBCrossZoneLoadBalancingEnabled', + 'NZISM3.6-ELBLoggingEnabled', + 'NZISM3.6-ELBTlsHttpsListenersOnly', + 'NZISM3.6-ElastiCacheRedisClusterAutomaticBackup', + 'NZISM3.6-LambdaFunctionPublicAccessProhibited', + 'NZISM3.6-OpenSearchInVPCOnly', + 'NZISM3.6-OpenSearchNodeToNodeEncryption', + 'NZISM3.6-RDSInBackupPlan', + 'NZISM3.6-RDSInstanceDeletionProtectionEnabled', + 'NZISM3.6-RDSInstancePublicAccess', + 'NZISM3.6-RDSLoggingEnabled', + 'NZISM3.6-RDSMultiAZSupport', + 'NZISM3.6-RedshiftBackupEnabled', + 'NZISM3.6-RedshiftClusterConfiguration', + 'NZISM3.6-RedshiftClusterMaintenanceSettings', + 'NZISM3.6-RedshiftClusterPublicAccess', + 'NZISM3.6-RedshiftRequireTlsSSL', + 'NZISM3.6-S3BucketLoggingEnabled', + 'NZISM3.6-S3BucketVersioningEnabled', + 'NZISM3.6-SageMakerNotebookNoDirectInternetAccess', + 'NZISM3.6-VPCDefaultSecurityGroupClosed', + 'NZISM3.6-VPCFlowLogsEnabled', + 'NZISM3.6-WAFv2LoggingEnabled', ]; jest.spyOn(pack, 'applyRule'); const stack = new Stack(); diff --git a/test/rules/S3.test.ts b/test/rules/S3.test.ts index e0e3081843..c8dff9e555 100644 --- a/test/rules/S3.test.ts +++ b/test/rules/S3.test.ts @@ -35,7 +35,6 @@ import { S3BucketVersioningEnabled, S3DefaultEncryptionKMS, S3WebBucketOAIAccess, - S3BucketServerSideEncryptionEnabled, } from '../../src/rules/s3'; const testPack = new TestPack([ @@ -49,7 +48,6 @@ const testPack = new TestPack([ S3BucketVersioningEnabled, S3DefaultEncryptionKMS, S3WebBucketOAIAccess, - S3BucketServerSideEncryptionEnabled, ]); let stack: Stack; @@ -256,20 +254,6 @@ describe('Amazon Simple Storage Service (S3)', () => { }); }); - describe('S3BucketServerSideEncryptionEnabled: S3 Buckets have default server-side encryption enabled', () => { - const ruleId = 'S3BucketServerSideEncryptionEnabled'; - test('Noncompliance 1', () => { - new Bucket(stack, 'rBucket'); - validateStack(stack, ruleId, TestType.NON_COMPLIANCE); - }); - test('Compliance', () => { - new Bucket(stack, 'rBucket', { - encryption: BucketEncryption.S3_MANAGED, - }); - validateStack(stack, ruleId, TestType.COMPLIANCE); - }); - }); - describe('S3BucketReplicationEnabled: S3 Buckets have replication enabled', () => { const ruleId = 'S3BucketReplicationEnabled'; test('Noncompliance 1', () => { From 1883fd46f79f2e0bac0a569b0d9798d8d8887c03 Mon Sep 17 00:00:00 2001 From: mrpackethead Date: Mon, 4 Sep 2023 22:37:31 +0000 Subject: [PATCH 06/85] fix: spelling --- README.md | 1 + RULES.md | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 111 insertions(+) diff --git a/README.md b/README.md index f3f3bef74c..2ecd40ea07 100644 --- a/README.md +++ b/README.md @@ -28,6 +28,7 @@ See [RULES](./RULES.md) for more information on all the available packs. 3. [NIST 800-53 rev 4](./RULES.md#nist-800-53-rev-4) 4. [NIST 800-53 rev 5](./RULES.md#nist-800-53-rev-5) 5. [PCI DSS 3.2.1](./RULES.md#pci-dss-321) +6. [NZISM3.6](./RULES.md#nzism-3.6) [RULES](./RULES.md) also includes a collection of [additional rules](./RULES.md#additional-rules) that are not currently included in any of the pre-built NagPacks, but are still available for inclusion in custom NagPacks. diff --git a/RULES.md b/RULES.md index 58f8b681fb..9f5c6aaf29 100644 --- a/RULES.md +++ b/RULES.md @@ -695,6 +695,116 @@ Unimplemented rules from the AWS PCI DSS 3.2.1 Conformance Pack. | [ssm-document-not-public](https://docs.aws.amazon.com/config/latest/developerguide/ssm-document-not-public.html) | SSM documents are not public. | 1.2, 1.2.1, 1.3, 1.3.1, 1.3.2, 1.3.4, 1.3.6, 2.2.2 | | [vpc-sg-open-only-to-authorized-ports](https://docs.aws.amazon.com/config/latest/developerguide/vpc-sg-open-only-to-authorized-ports.html) | The VPC Security Group restricts IPv4 TCP traffic on unauthorized ports.[2](#vpc-sg-open-only-to-authorized-ports) | 1.2, 1.2.1, 1.3, 1.3.1, 1.3.2, 2.2.2 | +## NZISM 3.6 + +The Operational Best Practices for NZISM3.6 provides a sample mapping between the New Zealand Government Communications Security Bureau (GCSB) Information Security Manual (NZISM) and AWS Managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more NZISM controls. An NZISM control can be related to multiple Config rules + +### Errors + +| Rule ID | Cause | Explanation | Relevent Control ID(s) | +| ------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------- | +| NZISM3.6-APIGWExecutionLoggingEnabled | The API Gateway stage does not have execution logging enabled for all methods. | API Gateway logging displays detailed views of users who accessed the API and the way they accessed the API. This insight enables visibility of user activities. | 16.6.10.C.02[CID:2013], 23.5.11.C.01[CID:7496] | +| NZISM3.6-CloudFrontDistributionAccessLogging | The CloudFront distribution does not have access logging enabled. | Enabling access logs helps operators track all viewer requests for the content delivered through the Content Delivery Network | 16.6.10.C.02[CID:2013], 23.5.11.C.01[CID:7496] | +| NZISM3.6-CloudFrontDistributionWAFIntegration | The CloudFront distribution requires integration with WAF. | The Web Application Firewall can help protect against application-layer attacks that can compromise the security of the system or place unnecessary load on them | 19.1.12.C.01[CID:3562] | +| NZISM3.6-CloudFrontDistributionHttpsViewerNoOutdatedSSL | The CloudFront distribution allows for SSLv3 or TLSv1 for HTTPS viewer connections. | Vulnerabilities have been and continue to be discovered in the deprecated SSL and TLS protocols. Help protect viewer connections by specifying a viewer certificate that enforces a minimum of TLSv1.1 or TLSv1.2 in the security policy. Distributions that use the default CloudFront viewer certificate or use vip for the SslSupportMethod are non-compliant with this rule, as the minimum security policy is set to TLSv1 regardless of the specified MinimumProtocolVersion | 16.1.37.C.01[CID:1847] | +| NZISM3.6-CloudTrailCloudWatchLogsEnabled | The trail does not have CloudWatch logs enabled. | Use Amazon CloudWatch to centrally collect and manage log event activity. Inclusion of AWS CloudTrail data provides details of API call activity within your AWS account | 16.6.6.C.02[CID:1998] 16.4.35.C.02[CID:6860] | +| NZISM3.6-CloudTrailLogFileValidationEnabled | The trail does not have validation enabled. | Utilize AWS CloudTrail log file validation to check the integrity of CloudTrail logs. Log file validation helps determine if a log file was modified or deleted or unchanged after CloudTrail delivered it. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection | 16.6.12.C.01[CID:2022], 23.5.11.C.01[CID:7496] | +| NZISM3.6-CloudWatchLogGroupRetentionPeriod | The CloudWatch Log Group does not have an explicit retention period configured. | Ensure a minimum duration of event log data is retained for your log groups to help with troubleshooting and forensics investigations. The lack of available past event log data makes it difficult to reconstruct and identify potentially malicious events | 16.6.6.C.02[CID:1998], 16.6.13.C.01[CID:2028] | +| NZISM3.6-CloudWatchLogGroupEncrypted | The CloudWatch Log Group is not encrypted with an AWS KMS key. | To help protect sensitive data at rest, ensure encryption is enabled for your Amazon CloudWatch Log Groups | 16.6.12.C.01[CID:2022], 23.5.11.C.01[CID:7496] | +| NZISM3.6-DMSReplicationNotPublic | The DMS replication instance is public. | DMS replication instances can contain sensitive information and access control is required for such accounts | 19.1.12.C.01[CID:3562], 23.4.10.C.01[CID:7466] | +| NZISM3.6-DynamoDBAutoScalingEnabled | The provisioned capacity DynamoDB table does not have Auto Scaling enabled on its indexes. | Amazon DynamoDB auto scaling uses the AWS Application Auto Scaling service to adjust provisioned throughput capacity that automatically responds to actual traffic patterns. This enables a table or a global secondary index to increase its provisioned read/write capacity to handle sudden increases in traffic, without throttling | 22.1.23.C.01[CID:4829] | +| NZISM3.6-DynamoDBInBackupPlan | The DynamoDB table is not in an AWS Backup plan. | To help with data back-up processes, ensure your Amazon DynamoDB tables are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements | 22.1.26.C.01[CID:4849] | +| NZISM3.6-DynamoDBPITREnabled | DynamoDB table does not have Point-in-time Recovery enabled. | The recovery maintains continuous backups of your table for the last 35 days | 22.1.26.C.01[CID:4849] | +| NZISM3.6-EC2EBSInBackupPlan | The EC2 instance is associated with a public IP address. | Manage access to the AWS Cloud by ensuring Amazon Elastic Compute Cloud (Amazon EC2) instances cannot be publicly accessed. Amazon EC2 instances can contain sensitive information and access control is required for such accounts | 23.4.10.C.01[CID:7466] | +| NZISM3.6-EC2InstancesInVPC | The EC2 instance is not within a VPC. | Deploy Amazon Elastic Compute Cloud (Amazon EC2) instances within an Amazon Virtual Private Cloud (Amazon VPC) to enable secure communication between an instance and other services within the amazon VPC, without requiring an internet gateway, NAT device, or VPN connection. All traffic remains securely within the AWS Cloud. Because of their logical isolation, domains that reside within anAmazon VPC have an extra layer of security when compared to domains that use public endpoints. Assign Amazon EC2 instances to an Amazon VPC to properly manage access | 19.1.12.C.01[CID:3562], 23.4.10.C.01[CID:7466] | +| NZISM3.6-EC2IMDSv2 | THe Ec2 Instance does not use IMDSv2. | IMDSv2 adds session-based controls to http requests to restrict access to the Instance Meta Data Service | 19.1.12.C.01[CID:3562], 23.4.10.C.01[CID:7466] | +| NZISM3.6-EFSInBackupPlan | The EFS is not in an AWS Backup plan. | To help with data back-up processes, ensure your Amazon Elastic File System (Amazon EFS) file systems are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements | MUST 22.1.26.C.01[CID:4849] | +| NZISM3.6-EFSEncrypted | The EFS does not have encryption at rest enabled. | Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elastic File System (EFS) | 17.1.46.C.04[CID:2082], 22.1.24.C.04[CID:4839] | +| NZISM3.6-ElastiCacheRedisClusterAutomaticBackup | The ElastiCache Redis cluster does not retain automatic backups for at least 15 day. | Automatic backups can help guard against data loss. If a failure occurs, you can create a new cluster, which restores your data from the most recent backup | 22.1.26.C.01[CID:4849] | +| NZISM3.6-ALBHttpToHttpsRedirection | The ALBs HTTP listeners are not configured to redirect to HTTPS. | To help protect data in transit, ensure that your Application Load Balancer automatically redirects unencrypted HTTP requests to HTTPS. Because sensitive data can exist, enable encryption in transit to help protect that data | 16.1.37.C.01[CID:1847], 17.1.48.C.03[CID:2091] | +| NZISM3.6-ALBWAFEnabled | The ALB is not associated with AWS WAFv2 web ACL. | A WAF helps to protect your web applications or APIs against common web exploits. These web exploits may affect availability, compromise security, or consume excessive resources within your environment | 19.1.12.C.01[CID:3562], 20.3.7.C.02[CID:4333], 23.4.10.C.01[CID:7466] | +| NZISM3.6-ELBCrossZoneLoadBalancingEnabled | Load Balancers are not cross zone enabled. | Enable cross-zone load balancing for your Classic Load Balancers (CLBs) to help maintain adequate capacity and availability. The cross-zone load balancing reduces the need to maintain equivalent numbers of instances in each enabled availability zone. It also improves your application's ability to handle the loss of one or more instances | 22.1.23.C.01[CID:4829] | +| NZISM3.6-ELBLoggingEnabled | The ELB does not have logging enabled. | Elastic Load Balancing activity is a central point of communication within an environment. Ensure ELB logging is enabled. The collected data provides detailed information about requests sent to The ELB. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses | 16.6.10.C.02[CID:2013], 23.5.11.C.01[CID:7496] | +| NZISM3.6-ELBTlsHttpsListenersOnly | The Classic Load Balancer does not restrict its listeners to only the SSL and HTTPS protocol. | Ensure that your Classic Load Balancers (CLBs) are configured with SSL or HTTPS listeners. Because sensitive data can exist, enable encryption in transit to help protect that data | 14.5.8.C.01[CID:1667], 16.1.37.C.01[CID:1847], 17.1.48.C.03[CID:2091], 22.1.24.C.04[CID:4839] | +| NZISM3.6-lambda-function-public-access-prohibited | Lambda function policies should not be publically invokable. | | 19.1.12.C.01[CID:3562], 23.4.10.C.01[CID:7466] | +| NZISM3.6-OpenSearchInVPCOnly | The OpenSearch Service domain is not running within a VPC. | VPCs help secure your AWS resources and provide an extra layer of protection | 19.1.12.C.01[CID:3562], 19.1.14.C.02[CID:3623] | +| NZISM3.6-OpenSearchNodeToNodeEncryption | The OpenSearch Service domain does not have node-to-node encryption enabled. | Because sensitive data can exist, enable encryption in transit to help protect that data within your Amazon OpenSearch Service (OpenSearch Service) domains | 16.1.37.C.01[CID:1847], 22.1.24.C.04[CID:4839] | +| NZISM3.6-RDSInstanceDeletionProtectionEnabled | The RDS DB Instance or Aurora Cluster does not have deletion protection enabled. | Ensure Amazon Relational Database Service (Amazon RDS) instances and clusters have deletion protection enabled. Use deletion protection to prevent your Amazon RDS DB instances and clusters from being accidentally or maliciously deleted, which can lead to loss of availability for your application | 22.1.26.C.01[CID:4849] | +| NZISM3.6-RDSMultiAZSupport | The RDS DB Instance does not have multi-AZ support. | Ensure Amazon Relational Database Service (Amazon RDS) instances and clusters have deletion protection enabled. Use deletion protection to prevent your Amazon RDS DB instances and clusters from being accidentally or maliciously deleted, which can lead to loss of availability for your applications | 22.1.23.C.01[CID:4829] | +| NZISM3.6-RDSInBackupPlan | The RDS DB instance is not in an AWS Backup plan. | To help with data back-up processes, ensure your Amazon Relational Database Service (Amazon RDS) instances are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements | 22.1.26.C.01[CID:4849] | +| NZISM3.6-RDSInstancePublicAccess | The RDS DB Instance allows public access. | Amazon RDS database instances can contain sensitive information, and principles and access control is required for such accounts | 19.1.12.C.01[CID:3562], 19.1.14.C.02[CID:3623], 23.4.10.C.01[CID:7466] | +| NZISM3.6-RedshiftBackupEnabled | The Redshift cluster does not have automated snapshots enabled or the retention period is not between 1 and 35 days. | To help with data back-up processes, ensure your Amazon Redshift clusters have automated snapshots. When automated snapshots are enabled for a cluster, Redshift periodically takes snapshots of that cluster. By default, Redshift takes a snapshot every eight hours or every 5 GB per node of data changes, or whichever comes first | 22.1.26.C.01[CID:4849] | +| NZISM3.6-RedshiftClusterMaintenanceSettings | The Redshift cluster does not have version upgrades enabled, automated snapshot retention periods enabled, and an explicit maintenance window configured. | Ensure that Amazon Redshift clusters have the preferred settings for your organization. Specifically, that they have preferred maintenance windows and automated snapshot retention periods for the database | 12.4.4.C.02[CID:3449], 12.4.4.C.06[CID:3453] | +| NZISM3.6-RedshiftClusterPublicAccess | Redshift must not be made publically avaialble. | Amazon Redshift clusters can contain sensitive information and principles and access control is required for such accounts | 19.1.12.C.01[CID:3562], 19.1.14.C.02[CID:3623], 23.4.10.C.01[CID:7466] | +| NZISM3.6-RedshiftRequireTlsSSL | The Redshift cluster must use TLS/SSL encryption. | Ensure that your Amazon Redshift clusters require TLS/SSL encryption to connect to SQL clients. Because sensitive data can exist, enable encryption in transit to help protect that data | 17.1.48.C.03[CID:2091], 22.1.24.C.04[CID:4839] | +| NZISM3.6-S3BucketLoggingEnabled | The S3 Buckets does not have server access logs enable. | Amazon Simple Storage Service (Amazon S3) server access logging provides a method to monitor the network for potential cybersecurity events. The events are monitored by capturing detailed records for the requests that are made to an Amazon S3 bucket. Each access log record provides details about a single access request. The details include the requester, bucket name, request time, request action, response status, and an error code, if relevant | 22.1.26.C.01[CID:4849] | +| NZISM3.6-S3BucketVersioningEnabled | The S3 Bucket does not have versioning enable. | Use versioning to preserve, retrieve, and restore every version of every object stored in your Amazon S3 bucket. Versioning helps you to easily recover from unintended user actions and application failures | 22.1.26.C.01[CID:4849] | +| NZISM3.6-SageMakerNotebookNoDirectInternetAccess | The SageMaker notebook does not disable direct internet access. | By preventing direct internet access, you can keep sensitive data from being accessed by unauthorized users | 19.1.12.C.01[CID:3562], 23.4.10.C.01[CID:7466] | +| NZISM3.6-VPCDefaultSecurityGroupClosed | The VPC does not have an associated Flow Log. | The VPC flow logs provide detailed records for information about the IP traffic going to and from network interfaces in your Amazon | +| NZSISM3.6-VPCFlowLogs | VPC does not have an Assocated Flow Log. | Enable a Flow Log for the VPC | 19.1.12.C.01[CID:3562], 23.4.10.C.01[CID:7466] | +| NZISM3.6-WAFv2LoggingEnabled | The WAFv2 web ACL does not have logging enabled. | AWS WAF logging provides detailed information about the traffic that is analyzed by your web ACL. The logs record the time that AWS WAF received the request from your AWS resource, information about the request, and an action for the rule that each request matched. | [CID:2013], 23.5.11.C.01[CID:7496] | + +### Warnings. + +| Rule ID | Cause | Explanation | Relevent Control ID(s) | +| ------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------- | +| NZISM3.6-CloudFrontDistributionAccessLogging | The CloudFront distribution does not have access logging enabled. | Enabling access logs helps operators track all viewer requests for the content delivered through the Content Delivery Network. | 16.6.10.C.02[CID:2013], 23.5.11.C.01[CID:7496] | +| NZISM3.6-CloudTrailEncryptionEnabled | The trail does not have encryption enabled. | Because sensitive data may exist and to help protect data at rest, ensure encryption is enabled for your AWS CloudTrail trails | 17.1.46.C.04[CID:2082] | +| NZISM3.6-CloudfrontDefaultRootObjectConfigured | The Cloudfront distribution requires a default object. | Specifying a default root object lets you avoid exposing the contents of your distribution | 14.5.6.C.01[CID:1661] | +| NZISM3.6-EC2EBSVolumeEncrypted | The EBS volume has encryption disabled. | With EBS encryption, you aren not required to build, maintain, and secure your own key management infrastructure. EBS encryption uses KMS keys when creating encrypted volumes and snapshots. This helps protect data at rest. | 17.1.46.C.04[CID:2082], 22.1.24.C.04[CID:4839 | +| NZISM3.6-EC2RestrictedSSH | The Security Group allows unrestricted SSH access. | Not allowing ingress (or remote) traffic from 0.0.0.0/0 or ::/0 to port 22 on your resources helps to restrict remote access | 17.5.8.C.02[CID:2726] | +| NZISM3.6-ECSTaskDefinitionUserForHostMode | The ECS task definition is configured for host networking and has at least one container with definitions with privileged set to false or empty or user set to root or empty. | If a task definition has elevated privileges it is because you have specifically opted-in to those configurations. This rule checks for unexpected privilege escalation when a task definition has host networking enabled but the customer has not opted-in to elevated privileges | 14.1.8.C.01[CID:1149] | +| NZISM3.6-ElasticBeanstalkManagedUpdatesEnabled | The Elastic Beanstalk environment does not have enhanced health reporting enabled. | Enabling managed platform updates for an Amazon Elastic Beanstalk environment ensures that the latest available platform fixes, updates, and features for the environment are installed. Keeping up to date with patch installation is a best practice in securing systems | 12.4.4.C.05[CID:3452] | +| NZISM3.6-IAMPolicyNoStatementsWithAdminAccess | The IAM policy grants admin access, meaning the policy allows a principal to perform all actions on all resources. | AWS Identity and Access Management (IAM) can help you incorporate the principles of least privilege and separation of duties with access permissions and authorizations, by ensuring that IAM groups have at least one IAM user. Placing IAM users in groups based on their associated permissions or job function is one way to incorporate least privilege | 16.3.5.C.02[CID:1946] | +| NZISM3.6-KMSBackingKeyRotationEnabled | The KMS Symmetric key does not have automatic key rotation enabled. | Enable key rotation to ensure that keys are rotated once they have reached the end of their crypto period | 17.9.25.C.01[CID:3021] | +| NZISM3.6-OpenSearchEncryptedAtRest | The OpenSearch Service domain does not have encryption at rest enabled. | Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon OpenSearch Service (OpenSearch Service) domains | 17.1.46.C.04[CID:2082], 20.4.4.C.02[CID:4441], 22.1.24.C.04[CID:4839] | +| NZISM3.6-RDSAutomaticMinorVersionUpgradeEnabled | RDS DB Instance is not configured for minor patches. | Provides automatic Patching in the Database | 12.4.4.C.05[CID:3452] | +| NZISM3.6-RDSLoggingEnabled | The non-Aurora RDS DB instance or Aurora cluster does not have all CloudWatch log types exported. | | SHOULD 16.6.10.C.02[CID:2013], 20.4.4.C.02[CID:4441], 20.4.5.C.02[CID:4445], MUST 23.5.11.C.01[CID:7496] | +| NZISM3.6-RDSStorageEncrypted | The RDS DB Instance or Aurora Cluster does not have storage encrypted. | Because sensitive data can exist at rest in Amazon RDS instances, enable encryption at rest to help protect that data | 17.1.46.C.04[CID:2082], 20.4.4.C.02[CID:4441], 22.1.24.C.04[CID:4839] | +| NZISM3.6-RedshiftClusterConfiguration | The Redshift cluster does not have encryption or audit logging enabled. | To protect data at rest, ensure that encryption is enabled for your Amazon Redshift clusters. You must also ensure that required configurations are deployed on Amazon Redshift clusters. The audit logging should be enabled to provide information about connections and user activities in the database | 20.4.4.C.02[CID:4441], 20.4.5.C.02[CID:4445], 22.1.24.C.04[CID:4839] | +| NZISM3.6-S3BucketSSLRequestsOnly | The S3 Bucket or bucket policy does not require requests to use SSL. | To help protect data in transit, ensure that your Amazon Simple Storage Service (Amazon S3) buckets require requests to use Secure Socket Layer (SSL). Because sensitive data can exist, enable encryption in transit to help protect that data. | 22.1.24.C.04[CID:4839] | +| NZISM3.6-S3BucketPublicReadProhibited | The S3 Bucket does not prohibit public read access through its Block Public Access configurations and bucket ACLs. | The management of access should be consistent with the classification of the data | 22.1.24.C.03[CID:4838] | +| NZISM3.6-S3BucketPublicWriteProhibited | The S3 Bucket does not prohibit public write access through its Block Public Access configurations and bucket ACLs. | The management of access should be consistent with the classification of the data | 22.1.24.C.03[CID:4838] | +| NZISM3.6-S3DefaultEncryptionKMS | The S3 Bucket is not encrypted with a KMS Key by default. | Ensure that encryption is enabled for your Amazon Simple Storage Service (Amazon S3) buckets. Because sensitive data can exist at rest in an Amazon S3 bucket, enable encryption at rest to help protect that data | 17.1.46.C.04[CID:2082] | +| NZISM3.6-SageMakerEndpointConfigurationKMSKeyConfigured | The SageMaker resource endpoint is not encrypted with a KMS key. | Because sensitive data can exist at rest in SageMaker endpoint, enable encryption at rest to help protect that data | 22.1.24.C.04[CID:4839] | +| NZISM3.6-SageMakerNotebookInstanceKMSKeyConfigured | The SageMaker notebook is not encrypted with a KMS key. | Because sensitive data can exist at rest in SageMaker notebook, enable encryption at rest to help protect that data | 22.1.24.C.04[CID:4839] | +| NZISM3.6-SecretsManagerUsingKMSKey | The secret is not encrypted with a KMS Customer managed key. | To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for AWS Secrets Manager secrets. Because sensitive data can exist at rest in Secrets Manager secrets, enable encryption at rest to help protect that data | 22.1.24.C.04[CID:4839] | +| NZISM3.6-SNSEncryptedKMS | The SNS topic does not have KMS encryption enabled. | To help protect data at rest, ensure that your Amazon Simple Notification Service (Amazon SNS) topics require encryption using AWS Key Management Service (AWS KMS) Because sensitive data can exist at rest in published messages, enable encryption at rest to help protect that data | 22.1.24.C.04[CID:4839] | +| NZISM3.6-EC2SecurityGroupOnlyTcp443 | Only port tcp 443 shoudl be permitted in ingress security group. | Not allowing ingress (or remote) traffic to ports other than tcp port 443 helps improve security | 18.1.13.C.02[CID:3205] | + +### Excluded Rules + +Unimplemented rules from the NSISM 3.6 Conformance Pack. + +| AWS Config Rule Name | Summary | Relevant Control ID(s) | Reason for Exclusion from NagPak.. | +| ---------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------- | +| NZISM3.6-acm-certificate-expiration-check | AWS Certificate Manager Certificates in your account are valid and not marked for expiration within the specified number of days. | SHOULD 14.5.8.C.01[CID:1667] | Account Level Check | +| NZISM3.6-cloudtrail-enabled | The AWS account has cloudtrail enabled. | 16.6.6.C.02[CID:1998], 16.6.10.C.02[CID:2013], 16.4.35.C.02[CID:6860], 23.5.11.C.01[CID:7496] | Account Level Check | +| NZISM3.6-cloudtrail-s3-dataevents-enabled | The AWS Account has at least once AWS CloudTrail that logs Amazon S3 data events for all S3 buckets. | SHOULD 22.1.24.C.03[CID:4838] | Account Level Check | +| NZISM3.6-cloudtrail-security-trail-enabled | The AWS Account has at least once AWS CloudTrail that records global service events, is a multi-region trail, has Log file validation enabled, encrypted with a KMS key, records events for reads and writes, records management events, and does not exclude any management events. | MUST 16.4.35.C.03[CID:6861] | Account Level Check | +| NZISM3.6-ebs-snapshot-public-restorable-check | EBS snapshots can be publicly restored . | SHOULD 22.1.24.C.03[CID:4838] | Account Level Check | +| NZISM3.6-ec2-critical-security-patch-auto-approval | Patch Baselines for Windows and/or Linux have been configured in Patch Manager, including auto-approval of critical security patches within 2 days of release | SHOULD 12.4.4.C.04[CID:3451] | Account Level Check | +| NZISM3.6-ec2-ebs-encryption-by-default | Default encryption for EBS volumes is enabled at the AWS Account level. | SHOULD 17.1.46.C.04[CID:2082] | Account Level Check | +| NZISM3.6-ec2-hardening-and-state-management | Hardened EC2 server image build processes and State Manager Associations are configured to remove unneeded components and services, and install anti-malware software and log agents | SHOULD 14.1.8.C.01[CID:1149] | Account Level Check | +| NZISM3.6-ec2-instance-managed-by-systems-manager | EC2 instances are managed by Systems Manager. | SHOULD 14.1.8.C.01[CID:1149] | Account Level Check | +| NZISM3.6-ec2-managedinstance-association-compliance-status-check | Managed EC2 instances are compliant with their association's standards. | SHOULD 14.1.8.C.01[CID:1149] | Account Level Check | +| NZISM3.6-ec2-managedinstance-patch-compliance-status-check | EC2 instances are compliant with their patch requirements. | MUST 12.4.4.C.02[CID:3449], SHOULD 12.4.4.C.04[CID:3451], SHOULD 12.4.4.C.05[CID:3452], SHOULD 12.4.4.C.06[CID:3453] | Account Level Check | +| NZISM3.6-ecr-private-image-scanning-enabled | | MUST 12.4.4.C.02[CID:3449] | Account Level Check | +| NZISM3.6-ecs-containers-readonly-access | | SHOULD 14.1.8.C.01[CID:1149] | Account Level Check | +| NZISM3.6-emr-master-no-public-ip | EMR clusters' master nodes have no public IP. | MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466] | Account Level Check | +| NZISM3.6-federate-with-central-idp | | MUST 19.1.12.C.01[CID:3562], MUST 18.4.9.C.01[CID:3815], SHOULD 18.4.12.C.01[CID:3875], MUST 23.4.10.C.01[CID:7466] | Account Level Check | +| NZISM3.6-iam-password-policy | Account password policy for IAM users meet the specified requirements indicated in the parameters. | SHOULD 16.1.40.C.02[CID:1858] | Account Level Check | +| NZISM3.6-iam-root-access-key-check | The Account IAM Root User has an access key(s) . | SHOULD 16.3.5.C.02[CID:1946] | Account Level Check | +| NZISM3.6-iam-user-unused-credentials-check | IAM User passwords and active access keys have been used within a specified number of days. | SHOULD 16.1.46.C.02[CID:1893], MUST 16.4.33.C.01[CID:6852] | Account Level Check | +| NZISM3.6-kms-cmk-for-each-data-classification | | SHOULD 17.9.25.C.01[CID:3021] | Account Level Check | +| NZISM3.6-mfa-enabled-for-iam-console-access | IAM Users have MFA enabled for console access. | SHOULD 16.1.35.C.02[CID:1841], SHOULD 16.4.31.C.02[CID:6843], SHOULD 16.7.34.C.02[CID:6953], MUST 23.3.19.C.01[CID:7436], MUST 23.3.19.C.01[CID:7437] | Account Level Check | +| NZISM3.6-rds-snapshot-encrypted | RDS snapshots are encrypted. | SHOULD 17.1.46.C.04[CID:2082], SHOULD 20.4.4.C.02[CID:4441], SHOULD 22.1.24.C.04[CID:4839] | Account Level Check | +| NZISM3.6-rds-snapshots-public-prohibited | RDS snapshots are not public. | SHOULD 20.4.4.C.02[CID:4441] | Account Level Check | +| NZISM3.6-root-account-hardware-mfa-enabled | The AWS Account root user is hardware MFA enabled. | SHOULD 16.1.35.C.02[CID:1841], SHOULD 16.4.31.C.02[CID:6843], SHOULD 16.7.34.C.02[CID:6953], MUST 23.3.19.C.01[CID:7436], MUST 23.3.19.C.01[CID:7437] | Account Level Check | +| NZISM3.6-root-account-mfa-enabled | The AWS Account root user is MFA enabled. | SHOULD 16.1.35.C.02[CID:1841], MUST 23.3.19.C.01[CID:7436], MUST 23.3.19.C.01[CID:7437] | Account Level Check | +| NZISM3.6-securityhub-enabled | The AWS Account has Security Hub enabled. | SHOULD 18.4.12.C.01[CID:3875] | Account Level Check | +| NZISM3.6-ssm-document-not-public | SSM documents are not public. | MUST 23.4.10.C.01[CID:7466] | Account Level Check | + ## Additional Rules A collection of community rules that are not currently included in any of the pre-built NagPacks, but are still available for inclusion in [custom NagPacks](https://github.com/cdklabs/cdk-nag/blob/main/docs/NagPack.md). From 7ee784d144433fc785a5bc0259b3730fbc69db6b Mon Sep 17 00:00:00 2001 From: mrpackethead Date: Tue, 5 Sep 2023 21:24:04 +0000 Subject: [PATCH 07/85] fix: Changed Info to agreed format, changed EC2RestrictedSSH and RedShiftClusterConfiguraiton from .ERROR to .WARNING as the CIDare SHOULD, not MUST --- src/packs/nzism-v36-1022-20.ts | 134 ++++++++++++++++----------------- test/Packs.test.ts | 4 +- 2 files changed, 69 insertions(+), 69 deletions(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 9c919d5867..4770a82292 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -141,7 +141,7 @@ export class NZISM36Checks extends NagPack { */ private checkAPIGW(node: CfnResource): void { this.applyRule({ - info: 'The API Gateway stage does not have execution logging enabled for all methods. | SHOULD 16.6.10.C.02[CID:2013], MUST 23.5.11.C.01[CID:7496] ', + info: 'The API Gateway stage does not have execution logging enabled for all methods - (Control IDs: SHOULD 16.6.10.C.02[CID:2013], MUST 23.5.11.C.01[CID:7496])', explanation: 'API Gateway logging displays detailed views of users who accessed the API and the way they accessed the API. This insight enables visibility of user activities.', level: NagMessageLevel.ERROR, @@ -157,7 +157,7 @@ export class NZISM36Checks extends NagPack { */ private checkCloudFront(node: CfnResource): void { this.applyRule({ - info: 'The CloudFront distribution does not have access logging enabled. | SHOULD 16.6.10.C.02[CID:2013], MUST 23.5.11.C.01[CID:7496]', + info: 'The CloudFront distribution does not have access logging enabled. - (Control IDs: SHOULD 16.6.10.C.02[CID:2013], MUST 23.5.11.C.01[CID:7496])', explanation: 'Enabling access logs helps operators track all viewer requests for the content delivered through the Content Delivery Network.', level: NagMessageLevel.ERROR, @@ -165,7 +165,7 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - info: 'The CloudFront distribution requires integration with WAF | MUST 19.1.12.C.01[CID:3562]', + info: 'The CloudFront distribution requires integration with WAF - (Control IDs: MUST 19.1.12.C.01[CID:3562])', explanation: 'The Web Application Firewall can help protect against application-layer attacks that can compromise the security of the system or place unnecessary load on them.', level: NagMessageLevel.ERROR, @@ -174,7 +174,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The CloudFront distribution allows for SSLv3 or TLSv1 for HTTPS viewer connections | MUST 16.1.37.C.01[CID:1847]', + info: 'The CloudFront distribution allows for SSLv3 or TLSv1 for HTTPS viewer connections - (Control IDs: MUST 16.1.37.C.01[CID:1847])', explanation: 'Vulnerabilities have been and continue to be discovered in the deprecated SSL and TLS protocols. Help protect viewer connections by specifying a viewer certificate that enforces a minimum of TLSv1.1 or TLSv1.2 in the security policy. Distributions that use the default CloudFront viewer certificate or use vip for the SslSupportMethod are non-compliant with this rule, as the minimum security policy is set to TLSv1 regardless of the specified MinimumProtocolVersion', level: NagMessageLevel.ERROR, @@ -183,7 +183,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The Cloudfront distribution requires a default object | SHOULD 14.5.6.C.01[CID:1661]', + info: 'The Cloudfront distribution requires a default object - (Control IDs: SHOULD 14.5.6.C.01[CID:1661])', explanation: 'Specifying a default root object lets you avoid exposing the contents of your distribution', level: NagMessageLevel.WARN, @@ -199,7 +199,7 @@ export class NZISM36Checks extends NagPack { */ private checkCloudTrail(node: CfnResource): void { this.applyRule({ - info: 'The trail does not have CloudWatch logs enabled | SHOULD 16.6.6.C.02[CID:1998], MUST 16.4.35.C.02[CID:6860])', + info: 'The trail does not have CloudWatch logs enabled - (Control IDs: SHOULD 16.6.6.C.02[CID:1998], MUST 16.4.35.C.02[CID:6860])', explanation: 'Use Amazon CloudWatch to centrally collect and manage log event activity. Inclusion of AWS CloudTrail data provides details of API call activity within your AWS account.', level: NagMessageLevel.ERROR, @@ -208,7 +208,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The trail does not have encryption enabled | SHOULD 17.1.46.C.04[CID:2082]', + info: 'The trail does not have encryption enabled - (Control IDs: SHOULD 17.1.46.C.04[CID:2082])', explanation: 'Because sensitive data may exist and to help protect data at rest, ensure encryption is enabled for your AWS CloudTrail trails.', level: NagMessageLevel.WARN, @@ -217,7 +217,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The trail does not have log file validation - MUST 16.6.12.C.01[CID:2022], MUST 23.5.11.C.01[CID:7496]', + info: 'The trail does not have log file validation - (Control IDs: MUST 16.6.12.C.01[CID:2022], MUST 23.5.11.C.01[CID:7496])', explanation: 'Utilize AWS CloudTrail log file validation to check the integrity of CloudTrail logs. Log file validation helps determine if a log file was modified or deleted or unchanged after CloudTrail delivered it. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection.', level: NagMessageLevel.ERROR, @@ -234,7 +234,7 @@ export class NZISM36Checks extends NagPack { private checkCloudWatch(node: CfnResource): void { this.applyRule({ - info: 'The CloudWatch Log Group does not have an explicit retention period configured - SHOULD 16.6.6.C.02[CID:1998], MUST 16.6.13.C.01[CID:2028]', + info: 'The CloudWatch Log Group does not have an explicit retention period configured - (Control IDs: SHOULD 16.6.6.C.02[CID:1998], MUST 16.6.13.C.01[CID:2028])', explanation: 'Ensure a minimum duration of event log data is retained for your log groups to help with troubleshooting and forensics investigations. The lack of available past event log data makes it difficult to reconstruct and identify potentially malicious events.', level: NagMessageLevel.ERROR, @@ -243,7 +243,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The CloudWatch Log Group is not encrypted with an AWS KMS key | MUST 16.6.12.C.01[CID:2022], MUST 23.5.11.C.01[CID:7496]', + info: 'The CloudWatch Log Group is not encrypted with an AWS KMS key - (Control IDs: MUST 16.6.12.C.01[CID:2022], MUST 23.5.11.C.01[CID:7496])', explanation: 'To help protect sensitive data at rest, ensure encryption is enabled for your Amazon CloudWatch Log Groups.', level: NagMessageLevel.ERROR, @@ -259,7 +259,7 @@ export class NZISM36Checks extends NagPack { */ private checkDMS(node: CfnResource) { this.applyRule({ - info: 'The DMS replication instance is public | MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466]', + info: 'The DMS replication instance is public - (Control IDs: MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466])', explanation: 'DMS replication instances can contain sensitive information and access control is required for such accounts.', level: NagMessageLevel.ERROR, @@ -275,15 +275,15 @@ export class NZISM36Checks extends NagPack { */ private checkDynamoDB(node: CfnResource) { this.applyRule({ - info: 'The provisioned capacity DynamoDB table does not have Auto Scaling enabled on its indexes | MUST 22.1.23.C.01[CID:4829]', + info: 'The provisioned capacity DynamoDB table does not have Auto Scaling enabled on its indexes - (Control IDs: MUST 22.1.23.C.01[CID:4829])', explanation: 'Amazon DynamoDB auto scaling uses the AWS Application Auto Scaling service to adjust provisioned throughput capacity that automatically responds to actual traffic patterns. This enables a table or a global secondary index to increase its provisioned read/write capacity to handle sudden increases in traffic, without throttling.', - level: NagMessageLevel.ERROR, // TODO: This appears to be an unusal requirement. If t + level: NagMessageLevel.ERROR, rule: DynamoDBAutoScalingEnabled, node: node, }); this.applyRule({ - info: 'The DynamoDB table is not in an AWS Backup plan - MUST 22.1.26.C.01[CID:4849]', + info: 'The DynamoDB table is not in an AWS Backup plan - (Control IDs: MUST 22.1.26.C.01[CID:4849])', explanation: 'To help with data back-up processes, ensure your Amazon DynamoDB tables are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements.', level: NagMessageLevel.ERROR, @@ -291,7 +291,7 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - info: 'The DynamoDB table does not have Point-in-time Recovery enabled | MUST 22.1.26.C.01[CID:4849]', + info: 'The DynamoDB table does not have Point-in-time Recovery enabled - (Control IDs: MUST 22.1.26.C.01[CID:4849])', explanation: 'The recovery maintains continuous backups of your table for the last 35 days.', level: NagMessageLevel.ERROR, @@ -307,7 +307,7 @@ export class NZISM36Checks extends NagPack { */ private checkEC2(node: CfnResource): void { this.applyRule({ - info: 'The EBS volume is not in an AWS Backup plan | MUST 22.1.26.C.01[CID:4849]', + info: 'The EBS volume is not in an AWS Backup plan - (Control IDs: MUST 22.1.26.C.01[CID:4849])', explanation: 'To help with data back-up processes, ensure your Amazon Elastic Block Store (Amazon EBS) volumes are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements.', level: NagMessageLevel.ERROR, @@ -316,7 +316,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The EC2 instance is associated with a public IP address | MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466]', + info: 'The EC2 instance is associated with a public IP address - (Control IDs: MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466])', explanation: 'Manage access to the AWS Cloud by ensuring Amazon Elastic Compute Cloud (Amazon EC2) instances cannot be publicly accessed. Amazon EC2 instances can contain sensitive information and access control is required for such accounts.', level: NagMessageLevel.ERROR, @@ -325,7 +325,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The EC2 instance is not within a VPC - MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466]', + info: 'The EC2 instance is not within a VPC - (Control IDs: MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466])', explanation: 'Deploy Amazon Elastic Compute Cloud (Amazon EC2) instances within an Amazon Virtual Private Cloud (Amazon VPC) to enable secure communication between an instance and other services within the amazon VPC, without requiring an internet gateway, NAT device, or VPN connection. All traffic remains securely within the AWS Cloud. Because of their logical isolation, domains that reside within anAmazon VPC have an extra layer of security when compared to domains that use public endpoints. Assign Amazon EC2 instances to an Amazon VPC to properly manage access.', level: NagMessageLevel.ERROR, @@ -334,7 +334,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The EBS volume has encryption disabled- SHOULD 17.1.46.C.04[CID:2082], SHOULD 22.1.24.C.04[CID:4839]', + info: 'The EBS volume has encryption disabled - (Control IDs: SHOULD 17.1.46.C.04[CID:2082], SHOULD 22.1.24.C.04[CID:4839])', explanation: 'With EBS encryption, you aren not required to build, maintain, and secure your own key management infrastructure. EBS encryption uses KMS keys when creating encrypted volumes and snapshots. This helps protect data at rest.', level: NagMessageLevel.WARN, @@ -343,16 +343,16 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The Security Group allows unrestricted SSH access - SHOULD 17.5.8.C.02[CID:2726]', + info: 'The Security Group allows unrestricted SSH access - (Control IDs: SHOULD 17.5.8.C.02[CID:2726])', explanation: 'Not allowing ingress (or remote) traffic from 0.0.0.0/0 or ::/0 to port 22 on your resources helps to restrict remote access.', - level: NagMessageLevel.ERROR, + level: NagMessageLevel.WARN, rule: EC2RestrictedSSH, node: node, }); this.applyRule({ - info: 'The Security Group allows access other than tcp 443 - SHOULD 18.1.13.C.02[CID:3205]', + info: 'The Security Group allows access other than tcp 443 - (Control IDs: SHOULD 18.1.13.C.02[CID:3205])', explanation: 'Not allowing ingress (or remote) traffic to ports other than tcp port 443 helps improve security', level: NagMessageLevel.WARN, @@ -362,7 +362,7 @@ export class NZISM36Checks extends NagPack { // this can be modified to use EC2IMDVs2 enabled. this.applyRule({ - info: 'THe Ec2 Instance does not use IMDSv2 | MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466]', + info: 'THe Ec2 Instance does not use IMDSv2 - (Control IDs: MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466])', explanation: 'IMDSv2 adds additional protection by using session authentication to the Instance Meta Data Service', level: NagMessageLevel.ERROR, @@ -378,7 +378,7 @@ export class NZISM36Checks extends NagPack { */ private checkECS(node: CfnResource): void { this.applyRule({ - info: 'The ECS task definition is configured for host networking and has at least one container with definitions with privileged set to false or empty or user set to root or empty | SHOULD 14.1.8.C.01[CID:1149]', + info: 'The ECS task definition is configured for host networking and has at least one container with definitions with privileged set to false or empty or user set to root or empty - (Control IDs: SHOULD 14.1.8.C.01[CID:1149])', explanation: 'If a task definition has elevated privileges it is because you have specifically opted-in to those configurations. This rule checks for unexpected privilege escalation when a task definition has host networking enabled but the customer has not opted-in to elevated privileges.', level: NagMessageLevel.WARN, @@ -394,7 +394,7 @@ export class NZISM36Checks extends NagPack { */ private checkEFS(node: CfnResource) { this.applyRule({ - info: 'The EFS is not in an AWS Backup plan - MUST 22.1.26.C.01[CID:4849]', + info: 'The EFS is not in an AWS Backup plan - (Control IDs: MUST 22.1.26.C.01[CID:4849])', explanation: 'To help with data back-up processes, ensure your Amazon Elastic File System (Amazon EFS) file systems are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements.', level: NagMessageLevel.ERROR, @@ -402,7 +402,7 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - info: 'The EFS does not have encryption at rest enabled = SHOULD 17.1.46.C.04[CID:2082], SHOULD 22.1.24.C.04[CID:4839]', + info: 'The EFS does not have encryption at rest enabled - (Control IDs: SHOULD 17.1.46.C.04[CID:2082], SHOULD 22.1.24.C.04[CID:4839])', explanation: 'Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elastic File System (EFS).', level: NagMessageLevel.WARN, @@ -418,7 +418,7 @@ export class NZISM36Checks extends NagPack { */ private checkElastiCache(node: CfnResource) { this.applyRule({ - info: 'The ElastiCache Redis cluster does not retain automatic backups for at least 15 day - MUST 22.1.26.C.01[CID:4849]', + info: 'The ElastiCache Redis cluster does not retain automatic backups for at least 15 days - (Control IDs: MUST 22.1.26.C.01[CID:4849])', explanation: 'Automatic backups can help guard against data loss. If a failure occurs, you can create a new cluster, which restores your data from the most recent backup.', level: NagMessageLevel.ERROR, @@ -434,7 +434,7 @@ export class NZISM36Checks extends NagPack { */ private checkElasticBeanstalk(node: CfnResource): void { this.applyRule({ - info: 'The Elastic Beanstalk environment does not have enhanced health reporting enabled | SHOULD 12.4.4.C.05[CID:3452]', + info: 'The Elastic Beanstalk environment does not have enhanced health reporting enabled - (Control IDs: SHOULD 12.4.4.C.05[CID:3452])', explanation: 'Enabling managed platform updates for an Amazon Elastic Beanstalk environment ensures that the latest available platform fixes, updates, and features for the environment are installed. Keeping up to date with patch installation is a best practice in securing systems.', level: NagMessageLevel.WARN, @@ -451,7 +451,7 @@ export class NZISM36Checks extends NagPack { private checkELB(node: CfnResource): void { this.applyRule({ - info: 'The ALBs HTTP listeners are not configured to redirect to HTTPS | MUST 16.1.37.C.01[CID:1847], MUST 17.1.48.C.03[CID:2091]', + info: 'The ALBs HTTP listeners are not configured to redirect to HTTPS - (Control IDs: MUST 16.1.37.C.01[CID:1847], MUST 17.1.48.C.03[CID:2091])', explanation: 'To help protect data in transit, ensure that your Application Load Balancer automatically redirects unencrypted HTTP requests to HTTPS. Because sensitive data can exist, enable encryption in transit to help protect that data.', level: NagMessageLevel.ERROR, @@ -460,7 +460,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The ALB is not associated with AWS WAFv2 web ACL | MUST 19.1.12.C.01[CID:3562], SHOULD 20.3.7.C.02[CID:4333], MUST 23.4.10.C.01[CID:7466]', + info: 'The ALB is not associated with AWS WAFv2 web ACL - (Control IDs: MUST 19.1.12.C.01[CID:3562], SHOULD 20.3.7.C.02[CID:4333], MUST 23.4.10.C.01[CID:7466])', explanation: 'A WAF helps to protect your web applications or APIs against common web exploits. These web exploits may affect availability, compromise security, or consume excessive resources within your environment.', level: NagMessageLevel.ERROR, @@ -469,7 +469,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'MUST 22.1.23.C.01[CID:4829]| Enterprise systems security/Cloud Computing/System Availability', + info: 'Load Balancer is not enabled for Cross Zone - (Control IDs: MUST 22.1.23.C.01[CID:4829])', explanation: "Enable cross-zone load balancing for your Classic Load Balancers (CLBs) to help maintain adequate capacity and availability. The cross-zone load balancing reduces the need to maintain equivalent numbers of instances in each enabled availability zone. It also improves your application's ability to handle the loss of one or more instances.", level: NagMessageLevel.ERROR, @@ -478,7 +478,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The ELB does not have logging enabled | SHOULD 16.6.10.C.02[CID:2013], MUST 23.5.11.C.01[CID:7496]', + info: 'The ELB does not have logging enabled - (Control IDs: SHOULD 16.6.10.C.02[CID:2013], MUST 23.5.11.C.01[CID:7496])', explanation: "Elastic Load Balancing activity is a central point of communication within an environment. Ensure ELB logging is enabled. The collected data provides detailed information about requests sent to The ELB. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses.", level: NagMessageLevel.ERROR, @@ -486,7 +486,7 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - info: 'The ELB does not restrict its listeners to only the SSL and HTTPS protocol | SHOULD 14.5.8.C.01[CID:1667], MUST 16.1.37.C.01[CID:1847], MUST 17.1.48.C.03[CID:2091], SHOULD 22.1.24.C.04[CID:4839]', + info: 'The ELB does not restrict its listeners to only the SSL and HTTPS protocol - (Control IDs: SHOULD 14.5.8.C.01[CID:1667], MUST 16.1.37.C.01[CID:1847], MUST 17.1.48.C.03[CID:2091], SHOULD 22.1.24.C.04[CID:4839])', explanation: 'Ensure that your Classic Load Balancers (CLBs) are configured with SSL or HTTPS listeners. Because sensitive data can exist, enable encryption in transit to help protect that data.', level: NagMessageLevel.ERROR, @@ -502,7 +502,7 @@ export class NZISM36Checks extends NagPack { */ private checkIAM(node: CfnResource): void { this.applyRule({ - info: 'The IAM policy grants admin access, meaning the policy allows a principal to perform all actions on all resources | SHOULD 16.3.5.C.02[CID:1946]', + info: 'The IAM policy grants admin access, meaning the policy allows a principal to perform all actions on all resources - (Control IDs: SHOULD 16.3.5.C.02[CID:1946])', explanation: 'AWS Identity and Access Management (IAM) can help you incorporate the principles of least privilege and separation of duties with access permissions and authorizations, by ensuring that IAM groups have at least one IAM user. Placing IAM users in groups based on their associated permissions or job function is one way to incorporate least privilege.', level: NagMessageLevel.WARN, @@ -518,7 +518,7 @@ export class NZISM36Checks extends NagPack { */ private checkKMS(node: CfnResource): void { this.applyRule({ - info: 'The KMS Symmetric key does not have automatic key rotation enabled | SHOULD 17.9.25.C.01[CID:3021]', + info: 'The KMS Symmetric key does not have automatic key rotation enabled - (Control IDs: SHOULD 17.9.25.C.01[CID:3021])', explanation: 'Enable key rotation to ensure that keys are rotated once they have reached the end of their crypto period.', level: NagMessageLevel.WARN, @@ -534,7 +534,7 @@ export class NZISM36Checks extends NagPack { private checkLambda(node: CfnResource) { this.applyRule({ - info: 'The Lambda function permission grants public access - MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466]', + info: 'The Lambda function permission grants public access - (Control IDs: MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466])', explanation: 'Public access allows anyone on the internet to perform unauthenticated actions on your function and can potentially lead to degraded availability.', level: NagMessageLevel.ERROR, @@ -550,7 +550,7 @@ export class NZISM36Checks extends NagPack { */ private checkOpenSearch(node: CfnResource) { this.applyRule({ - info: 'The OpenSearch Service domain does not have encryption at rest enabled | SHOULD 17.1.46.C.04[CID:2082], SHOULD 20.4.4.C.02[CID:4441], SHOULD 22.1.24.C.04[CID:4839]', + info: 'The OpenSearch Service domain does not have encryption at rest enabled - (Control IDs: SHOULD 17.1.46.C.04[CID:2082], SHOULD 20.4.4.C.02[CID:4441], SHOULD 22.1.24.C.04[CID:4839])', explanation: 'Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon OpenSearch Service (OpenSearch Service) domains.', level: NagMessageLevel.WARN, @@ -559,7 +559,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The OpenSearch Service domain is not running within a VPC | MUST 19.1.12.C.01[CID:3562], SHOULD 19.1.14.C.02[CID:3623]', + info: 'The OpenSearch Service domain is not running within a VPC - (Control IDs: MUST 19.1.12.C.01[CID:3562], SHOULD 19.1.14.C.02[CID:3623])', explanation: 'VPCs help secure your AWS resources and provide an extra layer of protection.', level: NagMessageLevel.ERROR, @@ -568,7 +568,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The OpenSearch Service domain does not have node-to-node encryption enabled | MUST 16.1.37.C.01[CID:1847], SHOULD 22.1.24.C.04[CID:4839]', + info: 'The OpenSearch Service domain does not have node-to-node encryption enabled - (Control IDs: MUST 16.1.37.C.01[CID:1847], SHOULD 22.1.24.C.04[CID:4839])', explanation: 'Because sensitive data can exist, enable encryption in transit to help protect that data within your Amazon OpenSearch Service (OpenSearch Service) domains.', level: NagMessageLevel.ERROR, @@ -584,7 +584,7 @@ export class NZISM36Checks extends NagPack { */ private checkRDS(node: CfnResource): void { this.applyRule({ - info: 'The RDS DB Instance or Aurora Cluster does not have deletion protection enabled | MUST 22.1.26.C.01[CID:4849]', + info: 'The RDS DB Instance or Aurora Cluster does not have deletion protection enabled - (Control IDs: MUST 22.1.26.C.01[CID:4849])', explanation: 'Ensure Amazon Relational Database Service (Amazon RDS) instances and clusters have deletion protection enabled. Use deletion protection to prevent your Amazon RDS DB instances and clusters from being accidentally or maliciously deleted, which can lead to loss of availability for your applications.', level: NagMessageLevel.ERROR, @@ -593,7 +593,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The RDS DB Instance does not have multi-AZ support | MUST 22.1.23.C.01[CID:4829]', + info: 'The RDS DB Instance does not have multi-AZ support - (Control IDs: MUST 22.1.23.C.01[CID:4829])', explanation: 'Ensure Amazon Relational Database Service (Amazon RDS) instances and clusters have deletion protection enabled. Use deletion protection to prevent your Amazon RDS DB instances and clusters from being accidentally or maliciously deleted, which can lead to loss of availability for your applications.', level: NagMessageLevel.ERROR, @@ -602,7 +602,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The RDS DB instance is not in an AWS Backup plan | MUST 22.1.26.C.01[CID:4849]', + info: 'The RDS DB instance is not in an AWS Backup plan - (Control IDs: MUST 22.1.26.C.01[CID:4849])', explanation: 'To help with data back-up processes, ensure your Amazon Relational Database Service (Amazon RDS) instances are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements.', level: NagMessageLevel.ERROR, @@ -611,7 +611,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The RDS DB Instance allows public access | MUST 19.1.12.C.01[CID:3562], SHOULD 19.1.14.C.02[CID:3623], MUST 23.4.10.C.01[CID:7466]', + info: 'The RDS DB Instance allows public access - (Control IDs: MUST 19.1.12.C.01[CID:3562], SHOULD 19.1.14.C.02[CID:3623], MUST 23.4.10.C.01[CID:7466])', explanation: 'Amazon RDS database instances can contain sensitive information, and principles and access control is required for such accounts.', level: NagMessageLevel.ERROR, @@ -620,7 +620,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The non-Aurora RDS DB instance or Aurora cluster does not have all CloudWatch log types exported | SHOULD 16.6.10.C.02[CID:2013], SHOULD 20.4.4.C.02[CID:4441], SHOULD 20.4.5.C.02[CID:4445], MUST 23.5.11.C.01[CID:7496]', + info: 'The non-Aurora RDS DB instance or Aurora cluster does not have all CloudWatch log types exported - (Control IDs: SHOULD 16.6.10.C.02[CID:2013], SHOULD 20.4.4.C.02[CID:4441], SHOULD 20.4.5.C.02[CID:4445], MUST 23.5.11.C.01[CID:7496])', explanation: 'To help with logging and monitoring within your environment, ensure Amazon Relational Database Service (Amazon RDS) logging is enabled. With Amazon RDS logging, you can capture events such as connections, disconnections, queries, or tables queried.' + "This is a granular rule that returns individual findings that can be suppressed with 'appliesTo'. The findings are in the format 'LogExport::' for exported logs. Example: appliesTo: ['LogExport::audit'].", @@ -630,7 +630,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The RDS DB Instance or Aurora Cluster does not have storage encrypted | SHOULD 17.1.46.C.04[CID:2082], SHOULD 20.4.4.C.02[CID:4441], SHOULD 22.1.24.C.04[CID:4839]', + info: 'The RDS DB Instance or Aurora Cluster does not have storage encrypted - (Control IDs: SHOULD 17.1.46.C.04[CID:2082], SHOULD 20.4.4.C.02[CID:4441], SHOULD 22.1.24.C.04[CID:4839])', explanation: 'Because sensitive data can exist at rest in Amazon RDS instances, enable encryption at rest to help protect that data.', level: NagMessageLevel.WARN, @@ -639,7 +639,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'RDS DB Instance is not configured for minor patches | SHOULD 12.4.4.C.05[CID:3452]', + info: 'RDS DB Instance is not configured for minor patches - (Control IDs: SHOULD 12.4.4.C.05[CID:3452])', explanation: 'Provides automatic Patching in the Database', level: NagMessageLevel.WARN, rule: RDSAutomaticMinorVersionUpgradeEnabled, @@ -654,7 +654,7 @@ export class NZISM36Checks extends NagPack { */ private checkRedshift(node: CfnResource): void { this.applyRule({ - info: 'The Redshift cluster does not have automated snapshots enabled or the retention period is not between 1 and 35 days | MUST 22.1.26.C.01[CID:4849]', + info: 'The Redshift cluster does not have automated snapshots enabled or the retention period is not between 1 and 35 days - (Control IDs: MUST 22.1.26.C.01[CID:4849])', explanation: 'To help with data back-up processes, ensure your Amazon Redshift clusters have automated snapshots. When automated snapshots are enabled for a cluster, Redshift periodically takes snapshots of that cluster. By default, Redshift takes a snapshot every eight hours or every 5 GB per node of data changes, or whichever comes first.', level: NagMessageLevel.ERROR, @@ -663,16 +663,16 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The Redshift cluster does not have encryption or audit logging enabled | SHOULD 20.4.4.C.02[CID:4441], SHOULD 20.4.5.C.02[CID:4445], SHOULD 22.1.24.C.04[CID:4839]', + info: 'The Redshift cluster does not have encryption or audit logging enabled - (Control IDs: SHOULD 20.4.4.C.02[CID:4441], SHOULD 20.4.5.C.02[CID:4445], SHOULD 22.1.24.C.04[CID:4839])', explanation: 'To protect data at rest, ensure that encryption is enabled for your Amazon Redshift clusters. You must also ensure that required configurations are deployed on Amazon Redshift clusters. The audit logging should be enabled to provide information about connections and user activities in the database.', - level: NagMessageLevel.ERROR, + level: NagMessageLevel.WARN, rule: RedshiftClusterConfiguration, node: node, }); this.applyRule({ - info: 'The Redshift cluster does not have version upgrades enabled, automated snapshot retention periods enabled, and an explicit maintenance window configure MUST 12.4.4.C.02[CID:3449], SHOULD 12.4.4.C.06[CID:3453]', + info: 'The Redshift cluster does not have version upgrades enabled, automated snapshot retention periods enabled, and an explicit maintenance window configure - (Control IDs: MUST 12.4.4.C.02[CID:3449], SHOULD 12.4.4.C.06[CID:3453])', explanation: 'Ensure that Amazon Redshift clusters have the preferred settings for your organization. Specifically, that they have preferred maintenance windows and automated snapshot retention periods for the database. ', level: NagMessageLevel.ERROR, @@ -681,7 +681,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'Redshift must not be made publically avaialble | MUST 19.1.12.C.01[CID:3562], SHOULD 19.1.14.C.02[CID:3623], MUST 23.4.10.C.01[CID:7466]', + info: 'Redshift must not be made publically avaialble - (Control IDs: MUST 19.1.12.C.01[CID:3562], SHOULD 19.1.14.C.02[CID:3623], MUST 23.4.10.C.01[CID:7466])', explanation: 'Amazon Redshift clusters can contain sensitive information and principles and access control is required for such accounts.', level: NagMessageLevel.ERROR, @@ -690,7 +690,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The Redshift cluster must use TLS/SSL encryption. MUST 17.1.48.C.03[CID:2091], SHOULD 22.1.24.C.04[CID:4839]', + info: 'The Redshift cluster must use TLS/SSL encryption. - (Control IDs: MUST 17.1.48.C.03[CID:2091], SHOULD 22.1.24.C.04[CID:4839])', explanation: 'Ensure that your Amazon Redshift clusters require TLS/SSL encryption to connect to SQL clients. Because sensitive data can exist, enable encryption in transit to help protect that data.', level: NagMessageLevel.ERROR, @@ -706,7 +706,7 @@ export class NZISM36Checks extends NagPack { */ private checkS3(node: CfnResource): void { this.applyRule({ - info: 'The S3 bucket does not prohibit public access through bucket level settings SHOULD 22.1.24.C.03[CID:4838]', + info: 'The S3 bucket does not prohibit public access through bucket level settings - (Control IDs: SHOULD 22.1.24.C.03[CID:4838])', explanation: 'Keep sensitive data safe from unauthorized remote users by preventing public access at the bucket level.', level: NagMessageLevel.WARN, @@ -714,7 +714,7 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - info: 'The S3 Bucket or bucket policy does not require requests to use SSL | SHOULD 22.1.24.C.04[CID:4839]|', + info: 'The S3 Bucket or bucket policy does not require requests to use SSL - (Control IDs: SHOULD 22.1.24.C.04[CID:4839])', explanation: 'To help protect data in transit, ensure that your Amazon Simple Storage Service (Amazon S3) buckets require requests to use Secure Socket Layer (SSL). Because sensitive data can exist, enable encryption in transit to help protect that data.', level: NagMessageLevel.WARN, @@ -722,7 +722,7 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - info: 'The S3 Buckets does not have server access logs enabled | MUST 22.1.26.C.01[CID:4849]', + info: 'The S3 Buckets does not have server access logs enabled - (Control IDs: MUST 22.1.26.C.01[CID:4849])', explanation: 'Amazon Simple Storage Service (Amazon S3) server access logging provides a method to monitor the network for potential cybersecurity events. The events are monitored by capturing detailed records for the requests that are made to an Amazon S3 bucket. Each access log record provides details about a single access request. The details include the requester, bucket name, request time, request action, response status, and an error code, if relevant.', level: NagMessageLevel.ERROR, @@ -731,7 +731,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The S3 Bucket does not prohibit public read access through its Block Public Access configurations and bucket ACLs | SHOULD 22.1.24.C.03[CID:4838]', + info: 'The S3 Bucket does not prohibit public read access through its Block Public Access configurations and bucket ACLs - (Control IDs: SHOULD 22.1.24.C.03[CID:4838])', explanation: 'The management of access should be consistent with the classification of the data.', level: NagMessageLevel.WARN, @@ -739,7 +739,7 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - info: 'The S3 Bucket does not prohibit public write access through its Block Public Access configurations and bucket ACLs | SHOULD 22.1.24.C.03[CID:4838]', + info: 'The S3 Bucket does not prohibit public write access through its Block Public Access configurations and bucket ACLs - (Control IDs: SHOULD 22.1.24.C.03[CID:4838])', explanation: 'The management of access should be consistent with the classification of the data.', level: NagMessageLevel.WARN, @@ -747,7 +747,7 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - info: 'The S3 Bucket does not have versioning enabled | MUST 22.1.26.C.01[CID:4849]', + info: 'The S3 Bucket does not have versioning enabled - (Control IDs: MUST 22.1.26.C.01[CID:4849])', explanation: 'Use versioning to preserve, retrieve, and restore every version of every object stored in your Amazon S3 bucket. Versioning helps you to easily recover from unintended user actions and application failures.', level: NagMessageLevel.ERROR, @@ -755,7 +755,7 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - info: 'The S3 Bucket is not encrypted with a KMS Key by default | SHOULD 17.1.46.C.04[CID:2082]| Cryptography/Cryptographic Fundamentals/Reducing storage and physical transfer requirements', + info: 'The S3 Bucket is not encrypted with a KMS Key by default - (Control IDs: SHOULD 17.1.46.C.04[CID:2082])', explanation: 'Ensure that encryption is enabled for your Amazon Simple Storage Service (Amazon S3) buckets. Because sensitive data can exist at rest in an Amazon S3 bucket, enable encryption at rest to help protect that data.', level: NagMessageLevel.WARN, @@ -771,7 +771,7 @@ export class NZISM36Checks extends NagPack { */ private checkSageMaker(node: CfnResource) { this.applyRule({ - info: 'The SageMaker resource endpoint is not encrypted with a KMS key | SHOULD 22.1.24.C.04[CID:4839]', + info: 'The SageMaker resource endpoint is not encrypted with a KMS key - (Control IDs: SHOULD 22.1.24.C.04[CID:4839])', explanation: 'Because sensitive data can exist at rest in SageMaker endpoint, enable encryption at rest to help protect that data.', level: NagMessageLevel.WARN, @@ -779,7 +779,7 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - info: 'The SageMaker notebook is not encrypted with a KMS key | SHOULD 22.1.24.C.04[CID:4839]', + info: 'The SageMaker notebook is not encrypted with a KMS key - (Control IDs: SHOULD 22.1.24.C.04[CID:4839])', explanation: 'Because sensitive data can exist at rest in SageMaker notebook, enable encryption at rest to help protect that data.', level: NagMessageLevel.WARN, @@ -787,7 +787,7 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - info: 'The SageMaker notebook does not disable direct internet access | MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466]', + info: 'The SageMaker notebook does not disable direct internet access - (Control IDs: MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466])', explanation: 'By preventing direct internet access, you can keep sensitive data from being accessed by unauthorized users.', level: NagMessageLevel.ERROR, @@ -803,7 +803,7 @@ export class NZISM36Checks extends NagPack { */ private checkSecretsManager(node: CfnResource): void { this.applyRule({ - info: 'The secret is not encrypted with a KMS Customer managed key | SHOULD 22.1.24.C.04[CID:4839]', + info: 'The secret is not encrypted with a KMS Customer managed key - (Control IDs: SHOULD 22.1.24.C.04[CID:4839])', explanation: 'To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for AWS Secrets Manager secrets. Because sensitive data can exist at rest in Secrets Manager secrets, enable encryption at rest to help protect that data.', level: NagMessageLevel.WARN, @@ -819,7 +819,7 @@ export class NZISM36Checks extends NagPack { */ private checkSNS(node: CfnResource): void { this.applyRule({ - info: 'The SNS topic does not have KMS encryption enabled | SHOULD 22.1.24.C.04[CID:4839]', + info: 'The SNS topic does not have KMS encryption enabled - (Control IDs: SHOULD 22.1.24.C.04[CID:4839])', explanation: 'To help protect data at rest, ensure that your Amazon Simple Notification Service (Amazon SNS) topics require encryption using AWS Key Management Service (AWS KMS) Because sensitive data can exist at rest in published messages, enable encryption at rest to help protect that data.', level: NagMessageLevel.WARN, @@ -835,7 +835,7 @@ export class NZISM36Checks extends NagPack { */ private checkVPC(node: CfnResource): void { this.applyRule({ - info: 'The VPCs default security group allows inbound or outbound traffic MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466]', + info: 'The VPCs default security group allows inbound or outbound traffic - (Control IDs: MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466])', explanation: 'Amazon Elastic Compute Cloud (Amazon EC2) security groups can help in the management of network access by providing stateful filtering of ingress and egress network traffic to AWS resources. Restricting all the traffic on the default security group helps in restricting remote access to your AWS resources.', level: NagMessageLevel.ERROR, @@ -843,7 +843,7 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - info: 'The VPC does not have an associated Flow Log | MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466]', + info: 'The VPC does not have an associated Flow Log - (Control IDs: MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466])', explanation: 'The VPC flow logs provide detailed records for information about the IP traffic going to and from network interfaces in your Amazon Virtual Private Cloud (Amazon VPC). By default, the flow log record includes values for the different components of the IP flow, including the source, destination, and protocol.', level: NagMessageLevel.ERROR, @@ -859,7 +859,7 @@ export class NZISM36Checks extends NagPack { */ private checkWAF(node: CfnResource): void { this.applyRule({ - info: 'The WAFv2 web ACL does not have logging enabled | SHOULD 16.6.10.C.02[CID:2013], MUST 23.5.11.C.01[CID:7496]', + info: 'The WAFv2 web ACL does not have logging enabled - (Control IDs: SHOULD 16.6.10.C.02[CID:2013], MUST 23.5.11.C.01[CID:7496])', explanation: 'AWS WAF logging provides detailed information about the traffic that is analyzed by your web ACL. The logs record the time that AWS WAF received the request from your AWS resource, information about the request, and an action for the rule that each request matched.', level: NagMessageLevel.ERROR, diff --git a/test/Packs.test.ts b/test/Packs.test.ts index 3ec9d4a08a..a6b372e9d3 100644 --- a/test/Packs.test.ts +++ b/test/Packs.test.ts @@ -648,6 +648,7 @@ describe('Check NagPack Details', () => { }); test('Pack contains expected warning and error rules', () => { const expectedWarnings = [ + 'NZISM3.6-EC2RestrictedSSH', 'NZISM3.6-CloudFrontDefaultRootObjectConfigured', 'NZISM3.6-CloudTrailEncryptionEnabled', 'NZISM3.6-EC2EBSVolumeEncrypted', @@ -669,6 +670,7 @@ describe('Check NagPack Details', () => { 'NZISM3.6-SageMakerEndpointConfigurationKMSKeyConfigured', 'NZISM3.6-SageMakerNotebookInstanceKMSKeyConfigured', 'NZISM3.6-SecretsManagerUsingKMSKey', + 'NZISM3.6-RedshiftClusterConfiguration', ]; const expectedErrors = [ @@ -690,7 +692,6 @@ describe('Check NagPack Details', () => { 'NZISM3.6-EC2IMDSv2Enabled', 'NZISM3.6-EC2InstanceNoPublicIp', 'NZISM3.6-EC2InstancesInVPC', - 'NZISM3.6-EC2RestrictedSSH', 'NZISM3.6-EFSInBackupPlan', 'NZISM3.6-ELBCrossZoneLoadBalancingEnabled', 'NZISM3.6-ELBLoggingEnabled', @@ -705,7 +706,6 @@ describe('Check NagPack Details', () => { 'NZISM3.6-RDSLoggingEnabled', 'NZISM3.6-RDSMultiAZSupport', 'NZISM3.6-RedshiftBackupEnabled', - 'NZISM3.6-RedshiftClusterConfiguration', 'NZISM3.6-RedshiftClusterMaintenanceSettings', 'NZISM3.6-RedshiftClusterPublicAccess', 'NZISM3.6-RedshiftRequireTlsSSL', From d319b3cbded52426883eb57016d6bc9e81e3534c Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 06:26:30 +1200 Subject: [PATCH 08/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 4770a82292..7ffe06f120 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -141,7 +141,7 @@ export class NZISM36Checks extends NagPack { */ private checkAPIGW(node: CfnResource): void { this.applyRule({ - info: 'The API Gateway stage does not have execution logging enabled for all methods - (Control IDs: SHOULD 16.6.10.C.02[CID:2013], MUST 23.5.11.C.01[CID:7496])', + info: 'The API Gateway stage does not have execution logging enabled for all methods - (Control IDs: SHOULD(16.6.10.C.02[CID:2013]), MUST(23.5.11.C.01[CID:7496]))', explanation: 'API Gateway logging displays detailed views of users who accessed the API and the way they accessed the API. This insight enables visibility of user activities.', level: NagMessageLevel.ERROR, From 4cfd4021b1fe67584ba2e84c12ef940881370529 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 06:26:46 +1200 Subject: [PATCH 09/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 7ffe06f120..d24f57daeb 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -157,7 +157,7 @@ export class NZISM36Checks extends NagPack { */ private checkCloudFront(node: CfnResource): void { this.applyRule({ - info: 'The CloudFront distribution does not have access logging enabled. - (Control IDs: SHOULD 16.6.10.C.02[CID:2013], MUST 23.5.11.C.01[CID:7496])', + info: 'The CloudFront distribution does not have access logging enabled. - (Control IDs: SHOULD(16.6.10.C.02[CID:2013]), MUST(23.5.11.C.01[CID:7496]))', explanation: 'Enabling access logs helps operators track all viewer requests for the content delivered through the Content Delivery Network.', level: NagMessageLevel.ERROR, From d2ebbdd72a084fcf9594d5bf4c82313ab6f82159 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 06:26:56 +1200 Subject: [PATCH 10/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index d24f57daeb..d4f944c09b 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -165,7 +165,7 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - info: 'The CloudFront distribution requires integration with WAF - (Control IDs: MUST 19.1.12.C.01[CID:3562])', + info: 'The CloudFront distribution requires integration with WAF - (Control IDs: MUST(19.1.12.C.01[CID:3562]))', explanation: 'The Web Application Firewall can help protect against application-layer attacks that can compromise the security of the system or place unnecessary load on them.', level: NagMessageLevel.ERROR, From 1398f221780d03f84c5c8b3c892de298f984dc3f Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 06:27:05 +1200 Subject: [PATCH 11/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index d4f944c09b..c9a1908e8d 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -183,7 +183,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The Cloudfront distribution requires a default object - (Control IDs: SHOULD 14.5.6.C.01[CID:1661])', + info: 'The Cloudfront distribution requires a default object - (Control IDs: SHOULD(14.5.6.C.01[CID:1661]))', explanation: 'Specifying a default root object lets you avoid exposing the contents of your distribution', level: NagMessageLevel.WARN, From cf65b2b2fc00cdc86ed60bbdb278bcdc98146f49 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 06:27:16 +1200 Subject: [PATCH 12/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index c9a1908e8d..e6f551a3b0 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -174,7 +174,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The CloudFront distribution allows for SSLv3 or TLSv1 for HTTPS viewer connections - (Control IDs: MUST 16.1.37.C.01[CID:1847])', + info: 'The CloudFront distribution allows for SSLv3 or TLSv1 for HTTPS viewer connections - (Control IDs: MUST(16.1.37.C.01[CID:1847]))', explanation: 'Vulnerabilities have been and continue to be discovered in the deprecated SSL and TLS protocols. Help protect viewer connections by specifying a viewer certificate that enforces a minimum of TLSv1.1 or TLSv1.2 in the security policy. Distributions that use the default CloudFront viewer certificate or use vip for the SslSupportMethod are non-compliant with this rule, as the minimum security policy is set to TLSv1 regardless of the specified MinimumProtocolVersion', level: NagMessageLevel.ERROR, From 46633ac25bd961f03a98dfc5e3d2d3cce0383ab8 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 06:27:27 +1200 Subject: [PATCH 13/85] Update README.md Co-authored-by: Arun Donti --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2ecd40ea07..b2d69d8544 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ See [RULES](./RULES.md) for more information on all the available packs. 3. [NIST 800-53 rev 4](./RULES.md#nist-800-53-rev-4) 4. [NIST 800-53 rev 5](./RULES.md#nist-800-53-rev-5) 5. [PCI DSS 3.2.1](./RULES.md#pci-dss-321) -6. [NZISM3.6](./RULES.md#nzism-3.6) +6. [NZISM 3.6](./RULES.md#nzism-3.6) [RULES](./RULES.md) also includes a collection of [additional rules](./RULES.md#additional-rules) that are not currently included in any of the pre-built NagPacks, but are still available for inclusion in custom NagPacks. From 8e38f8cb4bed1d5c4d56b6e1a314a8a935f5c4da Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 06:27:47 +1200 Subject: [PATCH 14/85] Update RULES.md Co-authored-by: Arun Donti --- RULES.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RULES.md b/RULES.md index 9f5c6aaf29..23233eb128 100644 --- a/RULES.md +++ b/RULES.md @@ -697,7 +697,7 @@ Unimplemented rules from the AWS PCI DSS 3.2.1 Conformance Pack. ## NZISM 3.6 -The Operational Best Practices for NZISM3.6 provides a sample mapping between the New Zealand Government Communications Security Bureau (GCSB) Information Security Manual (NZISM) and AWS Managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more NZISM controls. An NZISM control can be related to multiple Config rules +The [Operational Best Practices for NZISM 3.6](https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nzism.html) Conformance pack offers a collection of AWS Config Rules that enable customers to align to a subset of the Zealand Government Communications Security Bureau (GCSB) Information Security Manual (NZISM) standards. NZISM 3.6 NagPack implements many of the checks within the conformance pack. ### Errors From 8670c9f6dc46c4e6952093fce22bc00b94452b6c Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 06:28:16 +1200 Subject: [PATCH 15/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index e6f551a3b0..15d3fdc5e7 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -199,7 +199,7 @@ export class NZISM36Checks extends NagPack { */ private checkCloudTrail(node: CfnResource): void { this.applyRule({ - info: 'The trail does not have CloudWatch logs enabled - (Control IDs: SHOULD 16.6.6.C.02[CID:1998], MUST 16.4.35.C.02[CID:6860])', + info: 'The trail does not have CloudWatch logs enabled - (Control IDs: SHOULD(16.6.6.C.02[CID:1998]), MUST(16.4.35.C.02[CID:6860]))', explanation: 'Use Amazon CloudWatch to centrally collect and manage log event activity. Inclusion of AWS CloudTrail data provides details of API call activity within your AWS account.', level: NagMessageLevel.ERROR, From efd462abae89efb57f8ee0caea63a740bbacaa37 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 06:28:39 +1200 Subject: [PATCH 16/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 15d3fdc5e7..69abe89130 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -208,7 +208,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The trail does not have encryption enabled - (Control IDs: SHOULD 17.1.46.C.04[CID:2082])', + info: 'The trail does not have encryption enabled - (Control IDs: SHOULD(17.1.46.C.04[CID:2082]))', explanation: 'Because sensitive data may exist and to help protect data at rest, ensure encryption is enabled for your AWS CloudTrail trails.', level: NagMessageLevel.WARN, From c875eec8b1fdb29d43d58d3bf93169b76dbe1dae Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 06:28:58 +1200 Subject: [PATCH 17/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 69abe89130..6598e4f18f 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -217,7 +217,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The trail does not have log file validation - (Control IDs: MUST 16.6.12.C.01[CID:2022], MUST 23.5.11.C.01[CID:7496])', + info: 'The trail does not have log file validation - (Control IDs: MUST(16.6.12.C.01[CID:2022], 23.5.11.C.01[CID:7496]))', explanation: 'Utilize AWS CloudTrail log file validation to check the integrity of CloudTrail logs. Log file validation helps determine if a log file was modified or deleted or unchanged after CloudTrail delivered it. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection.', level: NagMessageLevel.ERROR, From 74c66c8d0ba3160ca9f15a84f955abcec71e4b8e Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 06:29:40 +1200 Subject: [PATCH 18/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 6598e4f18f..6ed3606f11 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -234,7 +234,7 @@ export class NZISM36Checks extends NagPack { private checkCloudWatch(node: CfnResource): void { this.applyRule({ - info: 'The CloudWatch Log Group does not have an explicit retention period configured - (Control IDs: SHOULD 16.6.6.C.02[CID:1998], MUST 16.6.13.C.01[CID:2028])', + info: 'The CloudWatch Log Group does not have an explicit retention period configured - (Control IDs: SHOULD(16.6.6.C.02[CID:1998]), MUST(16.6.13.C.01[CID:2028]))', explanation: 'Ensure a minimum duration of event log data is retained for your log groups to help with troubleshooting and forensics investigations. The lack of available past event log data makes it difficult to reconstruct and identify potentially malicious events.', level: NagMessageLevel.ERROR, From 9628c33539ca181be72422856dd86343f0bb3a35 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 06:30:02 +1200 Subject: [PATCH 19/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 6ed3606f11..f9fdab0914 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -259,7 +259,7 @@ export class NZISM36Checks extends NagPack { */ private checkDMS(node: CfnResource) { this.applyRule({ - info: 'The DMS replication instance is public - (Control IDs: MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466])', + info: 'The DMS replication instance is public - (Control IDs: MUST(19.1.12.C.01[CID:3562], 23.4.10.C.01[CID:7466]))', explanation: 'DMS replication instances can contain sensitive information and access control is required for such accounts.', level: NagMessageLevel.ERROR, From c1806eca5aced37ee9f6046e337dd28d04bdfad4 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 06:30:19 +1200 Subject: [PATCH 20/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index f9fdab0914..1d396d0509 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -243,7 +243,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The CloudWatch Log Group is not encrypted with an AWS KMS key - (Control IDs: MUST 16.6.12.C.01[CID:2022], MUST 23.5.11.C.01[CID:7496])', + info: 'The CloudWatch Log Group is not encrypted with an AWS KMS key - (Control IDs: MUST(16.6.12.C.01[CID:2022], 23.5.11.C.01[CID:7496]))', explanation: 'To help protect sensitive data at rest, ensure encryption is enabled for your Amazon CloudWatch Log Groups.', level: NagMessageLevel.ERROR, From a1ba8410e574a36219088a9004fb545ecba681b7 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 06:30:53 +1200 Subject: [PATCH 21/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 1d396d0509..4e57c1ba0a 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -275,7 +275,7 @@ export class NZISM36Checks extends NagPack { */ private checkDynamoDB(node: CfnResource) { this.applyRule({ - info: 'The provisioned capacity DynamoDB table does not have Auto Scaling enabled on its indexes - (Control IDs: MUST 22.1.23.C.01[CID:4829])', + info: 'The provisioned capacity DynamoDB table does not have Auto Scaling enabled on its indexes - (Control IDs: MUST(22.1.23.C.01[CID:4829]))', explanation: 'Amazon DynamoDB auto scaling uses the AWS Application Auto Scaling service to adjust provisioned throughput capacity that automatically responds to actual traffic patterns. This enables a table or a global secondary index to increase its provisioned read/write capacity to handle sudden increases in traffic, without throttling.', level: NagMessageLevel.ERROR, From b14ca5712ef586d7fe6fbd4dea8ed5cceb3f0027 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 06:31:19 +1200 Subject: [PATCH 22/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 4e57c1ba0a..56e9033e9e 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -283,7 +283,7 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - info: 'The DynamoDB table is not in an AWS Backup plan - (Control IDs: MUST 22.1.26.C.01[CID:4849])', + info: 'The DynamoDB table is not in an AWS Backup plan - (Control IDs: MUST(22.1.26.C.01[CID:4849]))', explanation: 'To help with data back-up processes, ensure your Amazon DynamoDB tables are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements.', level: NagMessageLevel.ERROR, From ede9c09c7f67d7ff2de53d8dbc3c61db000d3fe5 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 06:31:52 +1200 Subject: [PATCH 23/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 56e9033e9e..b72a60c230 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -291,7 +291,7 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - info: 'The DynamoDB table does not have Point-in-time Recovery enabled - (Control IDs: MUST 22.1.26.C.01[CID:4849])', + info: 'The DynamoDB table does not have Point-in-time Recovery enabled - (Control IDs: MUST(22.1.26.C.01[CID:4849]))', explanation: 'The recovery maintains continuous backups of your table for the last 35 days.', level: NagMessageLevel.ERROR, From 63803347278d5717f614bad7c62260321b982af4 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 06:32:14 +1200 Subject: [PATCH 24/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index b72a60c230..47606ff992 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -307,7 +307,7 @@ export class NZISM36Checks extends NagPack { */ private checkEC2(node: CfnResource): void { this.applyRule({ - info: 'The EBS volume is not in an AWS Backup plan - (Control IDs: MUST 22.1.26.C.01[CID:4849])', + info: 'The EBS volume is not in an AWS Backup plan - (Control IDs: MUST(22.1.26.C.01[CID:4849]))', explanation: 'To help with data back-up processes, ensure your Amazon Elastic Block Store (Amazon EBS) volumes are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements.', level: NagMessageLevel.ERROR, From 1c45dc241dbf8a7b17df1a903fc32585ed2109b3 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 06:32:47 +1200 Subject: [PATCH 25/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 47606ff992..df01d61145 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -316,7 +316,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The EC2 instance is associated with a public IP address - (Control IDs: MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466])', + info: 'The EC2 instance is associated with a public IP address - (Control IDs: MUST(19.1.12.C.01[CID:3562], 23.4.10.C.01[CID:7466]))', explanation: 'Manage access to the AWS Cloud by ensuring Amazon Elastic Compute Cloud (Amazon EC2) instances cannot be publicly accessed. Amazon EC2 instances can contain sensitive information and access control is required for such accounts.', level: NagMessageLevel.ERROR, From 98fb435de9a974b40b0434c90529cf6a9787f13c Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 06:33:16 +1200 Subject: [PATCH 26/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index df01d61145..25fab71add 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -325,7 +325,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The EC2 instance is not within a VPC - (Control IDs: MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466])', + info: 'The EC2 instance is not within a VPC - (Control IDs: MUST(19.1.12.C.01[CID:3562], 23.4.10.C.01[CID:7466]))', explanation: 'Deploy Amazon Elastic Compute Cloud (Amazon EC2) instances within an Amazon Virtual Private Cloud (Amazon VPC) to enable secure communication between an instance and other services within the amazon VPC, without requiring an internet gateway, NAT device, or VPN connection. All traffic remains securely within the AWS Cloud. Because of their logical isolation, domains that reside within anAmazon VPC have an extra layer of security when compared to domains that use public endpoints. Assign Amazon EC2 instances to an Amazon VPC to properly manage access.', level: NagMessageLevel.ERROR, From e45333dfb48d607d9c29e37036783b8fcfd232c7 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 06:34:29 +1200 Subject: [PATCH 27/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 25fab71add..5501366abd 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -334,7 +334,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The EBS volume has encryption disabled - (Control IDs: SHOULD 17.1.46.C.04[CID:2082], SHOULD 22.1.24.C.04[CID:4839])', + info: 'The EBS volume has encryption disabled - (Control IDs: SHOULD(17.1.46.C.04[CID:2082], 22.1.24.C.04[CID:4839]))', explanation: 'With EBS encryption, you aren not required to build, maintain, and secure your own key management infrastructure. EBS encryption uses KMS keys when creating encrypted volumes and snapshots. This helps protect data at rest.', level: NagMessageLevel.WARN, From c382984a81fd3d355ebc2b735681d2de5f3d323d Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 06:34:50 +1200 Subject: [PATCH 28/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 5501366abd..ae3f0a3a2b 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -352,7 +352,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The Security Group allows access other than tcp 443 - (Control IDs: SHOULD 18.1.13.C.02[CID:3205])', + info: 'The Security Group allows access other than tcp 443 - (Control IDs: SHOULD(18.1.13.C.02[CID:3205]))', explanation: 'Not allowing ingress (or remote) traffic to ports other than tcp port 443 helps improve security', level: NagMessageLevel.WARN, From 9da428054fdf19afe301da0e30a1c7d1b045b444 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 06:35:40 +1200 Subject: [PATCH 29/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index ae3f0a3a2b..1207922118 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -362,7 +362,7 @@ export class NZISM36Checks extends NagPack { // this can be modified to use EC2IMDVs2 enabled. this.applyRule({ - info: 'THe Ec2 Instance does not use IMDSv2 - (Control IDs: MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466])', + info: 'The EC2 Instance does not use IMDSv2 - (Control IDs: MUST(19.1.12.C.01[CID:3562], 23.4.10.C.01[CID:7466]))', explanation: 'IMDSv2 adds additional protection by using session authentication to the Instance Meta Data Service', level: NagMessageLevel.ERROR, From 2419e68b0da68a231b934131eb7197bcca466740 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 06:35:58 +1200 Subject: [PATCH 30/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 1207922118..f858523500 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -343,7 +343,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The Security Group allows unrestricted SSH access - (Control IDs: SHOULD 17.5.8.C.02[CID:2726])', + info: 'The Security Group allows unrestricted SSH access - (Control IDs: SHOULD(17.5.8.C.02[CID:2726]))', explanation: 'Not allowing ingress (or remote) traffic from 0.0.0.0/0 or ::/0 to port 22 on your resources helps to restrict remote access.', level: NagMessageLevel.WARN, From 6f0a186bc5e347d343fc976bae8d9eba2100ecbd Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 06:36:19 +1200 Subject: [PATCH 31/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index f858523500..e55855cadc 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -378,7 +378,7 @@ export class NZISM36Checks extends NagPack { */ private checkECS(node: CfnResource): void { this.applyRule({ - info: 'The ECS task definition is configured for host networking and has at least one container with definitions with privileged set to false or empty or user set to root or empty - (Control IDs: SHOULD 14.1.8.C.01[CID:1149])', + info: 'The ECS task definition is configured for host networking and has at least one container with definitions with privileged set to false or empty or user set to root or empty - (Control IDs: SHOULD(14.1.8.C.01[CID:1149]))', explanation: 'If a task definition has elevated privileges it is because you have specifically opted-in to those configurations. This rule checks for unexpected privilege escalation when a task definition has host networking enabled but the customer has not opted-in to elevated privileges.', level: NagMessageLevel.WARN, From 974b4745424a0726d31b71ba3caa8891f0225573 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 06:37:04 +1200 Subject: [PATCH 32/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index e55855cadc..1521222369 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -394,7 +394,7 @@ export class NZISM36Checks extends NagPack { */ private checkEFS(node: CfnResource) { this.applyRule({ - info: 'The EFS is not in an AWS Backup plan - (Control IDs: MUST 22.1.26.C.01[CID:4849])', + info: 'The EFS is not in an AWS Backup plan - (Control IDs: MUST(22.1.26.C.01[CID:4849]))', explanation: 'To help with data back-up processes, ensure your Amazon Elastic File System (Amazon EFS) file systems are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements.', level: NagMessageLevel.ERROR, From b899f8d69517fca5ed84afcb3bd51267dca68624 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 06:38:00 +1200 Subject: [PATCH 33/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 1521222369..1662ff75a0 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -418,7 +418,7 @@ export class NZISM36Checks extends NagPack { */ private checkElastiCache(node: CfnResource) { this.applyRule({ - info: 'The ElastiCache Redis cluster does not retain automatic backups for at least 15 days - (Control IDs: MUST 22.1.26.C.01[CID:4849])', + info: 'The ElastiCache Redis cluster does not retain automatic backups for at least 15 days - (Control IDs: MUST(22.1.26.C.01[CID:4849]))', explanation: 'Automatic backups can help guard against data loss. If a failure occurs, you can create a new cluster, which restores your data from the most recent backup.', level: NagMessageLevel.ERROR, From 2f05256f3a6b224bfd99d9fa94006cc5e97d79ac Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 06:38:23 +1200 Subject: [PATCH 34/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 1662ff75a0..b09372d908 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -402,7 +402,7 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - info: 'The EFS does not have encryption at rest enabled - (Control IDs: SHOULD 17.1.46.C.04[CID:2082], SHOULD 22.1.24.C.04[CID:4839])', + info: 'The EFS does not have encryption at rest enabled - (Control IDs: SHOULD(17.1.46.C.04[CID:2082], 22.1.24.C.04[CID:4839]))', explanation: 'Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elastic File System (EFS).', level: NagMessageLevel.WARN, From ec2317f178228a69846c8dc946cac04e526c91a9 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 06:38:54 +1200 Subject: [PATCH 35/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index b09372d908..57f06922fd 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -434,7 +434,7 @@ export class NZISM36Checks extends NagPack { */ private checkElasticBeanstalk(node: CfnResource): void { this.applyRule({ - info: 'The Elastic Beanstalk environment does not have enhanced health reporting enabled - (Control IDs: SHOULD 12.4.4.C.05[CID:3452])', + info: 'The Elastic Beanstalk environment does not have enhanced health reporting enabled - (Control IDs: SHOULD(12.4.4.C.05[CID:3452]))', explanation: 'Enabling managed platform updates for an Amazon Elastic Beanstalk environment ensures that the latest available platform fixes, updates, and features for the environment are installed. Keeping up to date with patch installation is a best practice in securing systems.', level: NagMessageLevel.WARN, From 5998513c10e2dfaadb349afe1077dc6c159882f7 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 06:39:30 +1200 Subject: [PATCH 36/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 57f06922fd..ef71de83fd 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -451,7 +451,7 @@ export class NZISM36Checks extends NagPack { private checkELB(node: CfnResource): void { this.applyRule({ - info: 'The ALBs HTTP listeners are not configured to redirect to HTTPS - (Control IDs: MUST 16.1.37.C.01[CID:1847], MUST 17.1.48.C.03[CID:2091])', + info: 'The ALBs HTTP listeners are not configured to redirect to HTTPS - (Control IDs: MUST(16.1.37.C.01[CID:1847], 17.1.48.C.03[CID:2091]))', explanation: 'To help protect data in transit, ensure that your Application Load Balancer automatically redirects unencrypted HTTP requests to HTTPS. Because sensitive data can exist, enable encryption in transit to help protect that data.', level: NagMessageLevel.ERROR, From f01fc79dcc090f777f9e3d39b04c2f65ccc19a4f Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 06:41:20 +1200 Subject: [PATCH 37/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index ef71de83fd..5717e4ef7d 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -654,7 +654,7 @@ export class NZISM36Checks extends NagPack { */ private checkRedshift(node: CfnResource): void { this.applyRule({ - info: 'The Redshift cluster does not have automated snapshots enabled or the retention period is not between 1 and 35 days - (Control IDs: MUST 22.1.26.C.01[CID:4849])', + info: 'The Redshift cluster does not have automated snapshots enabled or the retention period is not between 1 and 35 days - (Control IDs: MUST(22.1.26.C.01[CID:4849]))', explanation: 'To help with data back-up processes, ensure your Amazon Redshift clusters have automated snapshots. When automated snapshots are enabled for a cluster, Redshift periodically takes snapshots of that cluster. By default, Redshift takes a snapshot every eight hours or every 5 GB per node of data changes, or whichever comes first.', level: NagMessageLevel.ERROR, From 3b5f5f119f22e94f8f555ddcf03208d7e7c3989c Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 06:41:57 +1200 Subject: [PATCH 38/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 5717e4ef7d..554881ed0d 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -460,7 +460,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The ALB is not associated with AWS WAFv2 web ACL - (Control IDs: MUST 19.1.12.C.01[CID:3562], SHOULD 20.3.7.C.02[CID:4333], MUST 23.4.10.C.01[CID:7466])', + info: 'The ALB is not associated with AWS WAFv2 web ACL - (Control IDs: SHOULD(20.3.7.C.02[CID:4333]), MUST(19.1.12.C.01[CID:3562], 23.4.10.C.01[CID:7466]))', explanation: 'A WAF helps to protect your web applications or APIs against common web exploits. These web exploits may affect availability, compromise security, or consume excessive resources within your environment.', level: NagMessageLevel.ERROR, From e0e7b45ca1360662bafb93b01f11b756e69ffd7d Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 07:43:45 +1200 Subject: [PATCH 39/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 554881ed0d..62b77670f9 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -469,7 +469,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'Load Balancer is not enabled for Cross Zone - (Control IDs: MUST 22.1.23.C.01[CID:4829])', + info: 'Load Balancer is not enabled for Cross Zone - (Control IDs: MUST(22.1.23.C.01[CID:4829]))', explanation: "Enable cross-zone load balancing for your Classic Load Balancers (CLBs) to help maintain adequate capacity and availability. The cross-zone load balancing reduces the need to maintain equivalent numbers of instances in each enabled availability zone. It also improves your application's ability to handle the loss of one or more instances.", level: NagMessageLevel.ERROR, From 46016accd6b7bf2e1cc54bd603cb07eb78d7d419 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 07:44:35 +1200 Subject: [PATCH 40/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 62b77670f9..daeaea90df 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -602,7 +602,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The RDS DB instance is not in an AWS Backup plan - (Control IDs: MUST 22.1.26.C.01[CID:4849])', + info: 'The RDS DB instance is not in an AWS Backup plan - (Control IDs: MUST(22.1.26.C.01[CID:4849]))', explanation: 'To help with data back-up processes, ensure your Amazon Relational Database Service (Amazon RDS) instances are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements.', level: NagMessageLevel.ERROR, From 8d50d21023224733fcdbf2d50787db9b72690ac2 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 07:45:59 +1200 Subject: [PATCH 41/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index daeaea90df..e8fd32a46f 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -620,7 +620,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The non-Aurora RDS DB instance or Aurora cluster does not have all CloudWatch log types exported - (Control IDs: SHOULD 16.6.10.C.02[CID:2013], SHOULD 20.4.4.C.02[CID:4441], SHOULD 20.4.5.C.02[CID:4445], MUST 23.5.11.C.01[CID:7496])', + info: 'The non-Aurora RDS DB instance or Aurora cluster does not have all CloudWatch log types exported - (Control IDs: SHOULD(16.6.10.C.02[CID:2013], 20.4.4.C.02[CID:4441], 20.4.5.C.02[CID:4445]), MUST(23.5.11.C.01[CID:7496]))', explanation: 'To help with logging and monitoring within your environment, ensure Amazon Relational Database Service (Amazon RDS) logging is enabled. With Amazon RDS logging, you can capture events such as connections, disconnections, queries, or tables queried.' + "This is a granular rule that returns individual findings that can be suppressed with 'appliesTo'. The findings are in the format 'LogExport::' for exported logs. Example: appliesTo: ['LogExport::audit'].", From 0ce87cd16e33504bf6e92c16a8c0927c34803a19 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 07:46:22 +1200 Subject: [PATCH 42/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index e8fd32a46f..0469ea095d 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -478,7 +478,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The ELB does not have logging enabled - (Control IDs: SHOULD 16.6.10.C.02[CID:2013], MUST 23.5.11.C.01[CID:7496])', + info: 'The ELB does not have logging enabled - (Control IDs: SHOULD(16.6.10.C.02[CID:2013]), MUST(23.5.11.C.01[CID:7496]))', explanation: "Elastic Load Balancing activity is a central point of communication within an environment. Ensure ELB logging is enabled. The collected data provides detailed information about requests sent to The ELB. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses.", level: NagMessageLevel.ERROR, From cb1a9327030e94b1b693ca761ed40b442f78641b Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 07:46:48 +1200 Subject: [PATCH 43/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 0469ea095d..ec14633fc1 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -486,7 +486,7 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - info: 'The ELB does not restrict its listeners to only the SSL and HTTPS protocol - (Control IDs: SHOULD 14.5.8.C.01[CID:1667], MUST 16.1.37.C.01[CID:1847], MUST 17.1.48.C.03[CID:2091], SHOULD 22.1.24.C.04[CID:4839])', + info: 'The ELB does not restrict its listeners to only the SSL and HTTPS protocol - (Control IDs: SHOULD(14.5.8.C.01[CID:1667], 22.1.24.C.04[CID:4839])), MUST(16.1.37.C.01[CID:1847], 17.1.48.C.03[CID:2091])) ', explanation: 'Ensure that your Classic Load Balancers (CLBs) are configured with SSL or HTTPS listeners. Because sensitive data can exist, enable encryption in transit to help protect that data.', level: NagMessageLevel.ERROR, From 58b6e525b28a0b0d8f858acc1cf8a4efe3c181a7 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 07:47:08 +1200 Subject: [PATCH 44/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index ec14633fc1..5cd4545a56 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -518,7 +518,7 @@ export class NZISM36Checks extends NagPack { */ private checkKMS(node: CfnResource): void { this.applyRule({ - info: 'The KMS Symmetric key does not have automatic key rotation enabled - (Control IDs: SHOULD 17.9.25.C.01[CID:3021])', + info: 'The KMS Symmetric key does not have automatic key rotation enabled - (Control IDs: SHOULD(17.9.25.C.01[CID:3021]))', explanation: 'Enable key rotation to ensure that keys are rotated once they have reached the end of their crypto period.', level: NagMessageLevel.WARN, From 3c09623fd0e4369c9320dfc5b81c7bebe3f07f59 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 07:47:29 +1200 Subject: [PATCH 45/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 5cd4545a56..e1d81ebc55 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -502,7 +502,7 @@ export class NZISM36Checks extends NagPack { */ private checkIAM(node: CfnResource): void { this.applyRule({ - info: 'The IAM policy grants admin access, meaning the policy allows a principal to perform all actions on all resources - (Control IDs: SHOULD 16.3.5.C.02[CID:1946])', + info: 'The IAM policy grants admin access, meaning the policy allows a principal to perform all actions on all resources - (Control IDs: SHOULD(16.3.5.C.02[CID:1946]))', explanation: 'AWS Identity and Access Management (IAM) can help you incorporate the principles of least privilege and separation of duties with access permissions and authorizations, by ensuring that IAM groups have at least one IAM user. Placing IAM users in groups based on their associated permissions or job function is one way to incorporate least privilege.', level: NagMessageLevel.WARN, From 99df78c8caa21d0a85a5f4bbd2ff234de67cbc52 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 07:48:05 +1200 Subject: [PATCH 46/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index e1d81ebc55..0202cdd359 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -534,7 +534,7 @@ export class NZISM36Checks extends NagPack { private checkLambda(node: CfnResource) { this.applyRule({ - info: 'The Lambda function permission grants public access - (Control IDs: MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466])', + info: 'The Lambda function permission grants public access - (Control IDs: MUST(19.1.12.C.01[CID:3562], 23.4.10.C.01[CID:7466]))', explanation: 'Public access allows anyone on the internet to perform unauthenticated actions on your function and can potentially lead to degraded availability.', level: NagMessageLevel.ERROR, From 426159c0b6952f1e49117e8dc91016656a1cfeb5 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 07:48:31 +1200 Subject: [PATCH 47/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 0202cdd359..3591a9bb36 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -550,7 +550,7 @@ export class NZISM36Checks extends NagPack { */ private checkOpenSearch(node: CfnResource) { this.applyRule({ - info: 'The OpenSearch Service domain does not have encryption at rest enabled - (Control IDs: SHOULD 17.1.46.C.04[CID:2082], SHOULD 20.4.4.C.02[CID:4441], SHOULD 22.1.24.C.04[CID:4839])', + info: 'The OpenSearch Service domain does not have encryption at rest enabled - (Control IDs: SHOULD(17.1.46.C.04[CID:2082], 20.4.4.C.02[CID:4441], 22.1.24.C.04[CID:4839]))', explanation: 'Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon OpenSearch Service (OpenSearch Service) domains.', level: NagMessageLevel.WARN, From fd472b5e539a3fb78eb3db3b973d8ee1310d7446 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 07:53:04 +1200 Subject: [PATCH 48/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 3591a9bb36..874cf3c405 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -559,7 +559,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The OpenSearch Service domain is not running within a VPC - (Control IDs: MUST 19.1.12.C.01[CID:3562], SHOULD 19.1.14.C.02[CID:3623])', + info: 'The OpenSearch Service domain is not running within a VPC - (Control IDs: SHOULD(19.1.14.C.02[CID:3623]), MUST(19.1.12.C.01[CID:3562]))', explanation: 'VPCs help secure your AWS resources and provide an extra layer of protection.', level: NagMessageLevel.ERROR, From 5efcc12f239f5f26c4b1113253d96ac9edbf7905 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 07:53:33 +1200 Subject: [PATCH 49/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 874cf3c405..c602329e4f 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -568,7 +568,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The OpenSearch Service domain does not have node-to-node encryption enabled - (Control IDs: MUST 16.1.37.C.01[CID:1847], SHOULD 22.1.24.C.04[CID:4839])', + info: 'The OpenSearch Service domain does not have node-to-node encryption enabled - (Control IDs: SHOULD(22.1.24.C.04[CID:4839]), MUST(16.1.37.C.01[CID:1847])) ', explanation: 'Because sensitive data can exist, enable encryption in transit to help protect that data within your Amazon OpenSearch Service (OpenSearch Service) domains.', level: NagMessageLevel.ERROR, From 3cdaa9b3bdf3fee3967ed88fd4cabbbd1d57a43e Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 07:53:58 +1200 Subject: [PATCH 50/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index c602329e4f..3cc24d27dd 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -584,7 +584,7 @@ export class NZISM36Checks extends NagPack { */ private checkRDS(node: CfnResource): void { this.applyRule({ - info: 'The RDS DB Instance or Aurora Cluster does not have deletion protection enabled - (Control IDs: MUST 22.1.26.C.01[CID:4849])', + info: 'The RDS DB Instance or Aurora Cluster does not have deletion protection enabled - (Control IDs: MUST(22.1.26.C.01[CID:4849]))', explanation: 'Ensure Amazon Relational Database Service (Amazon RDS) instances and clusters have deletion protection enabled. Use deletion protection to prevent your Amazon RDS DB instances and clusters from being accidentally or maliciously deleted, which can lead to loss of availability for your applications.', level: NagMessageLevel.ERROR, From 35ba4833a22feadac6f8ddc7bc326111bc498fc1 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 07:54:19 +1200 Subject: [PATCH 51/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 3cc24d27dd..8afec5c45d 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -593,7 +593,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The RDS DB Instance does not have multi-AZ support - (Control IDs: MUST 22.1.23.C.01[CID:4829])', + info: 'The RDS DB Instance does not have multi-AZ support - (Control IDs: MUST(22.1.23.C.01[CID:4829]))', explanation: 'Ensure Amazon Relational Database Service (Amazon RDS) instances and clusters have deletion protection enabled. Use deletion protection to prevent your Amazon RDS DB instances and clusters from being accidentally or maliciously deleted, which can lead to loss of availability for your applications.', level: NagMessageLevel.ERROR, From ad9a0364b1a1c9170eba2133f117322f4b9713aa Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 07:54:41 +1200 Subject: [PATCH 52/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 8afec5c45d..3db23b8ef6 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -611,7 +611,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The RDS DB Instance allows public access - (Control IDs: MUST 19.1.12.C.01[CID:3562], SHOULD 19.1.14.C.02[CID:3623], MUST 23.4.10.C.01[CID:7466])', + info: 'The RDS DB Instance allows public access - (Control IDs: SHOULD(19.1.14.C.02[CID:3623]), MUST(19.1.12.C.01[CID:3562], 23.4.10.C.01[CID:7466]))', explanation: 'Amazon RDS database instances can contain sensitive information, and principles and access control is required for such accounts.', level: NagMessageLevel.ERROR, From 23dc2906bb6b58605b1c5f69eb57d3fd4c5d9761 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 07:55:03 +1200 Subject: [PATCH 53/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 3db23b8ef6..f99b5b4d49 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -630,7 +630,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The RDS DB Instance or Aurora Cluster does not have storage encrypted - (Control IDs: SHOULD 17.1.46.C.04[CID:2082], SHOULD 20.4.4.C.02[CID:4441], SHOULD 22.1.24.C.04[CID:4839])', + info: 'The RDS DB Instance or Aurora Cluster does not have storage encrypted - (Control IDs: SHOULD(17.1.46.C.04[CID:2082], 20.4.4.C.02[CID:4441], 22.1.24.C.04[CID:4839]))', explanation: 'Because sensitive data can exist at rest in Amazon RDS instances, enable encryption at rest to help protect that data.', level: NagMessageLevel.WARN, From 1fd5e0bb4aac92f1b041e31472773c09963bd0f3 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 07:55:24 +1200 Subject: [PATCH 54/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index f99b5b4d49..6b8e2efec4 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -639,7 +639,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'RDS DB Instance is not configured for minor patches - (Control IDs: SHOULD 12.4.4.C.05[CID:3452])', + info: 'RDS DB Instance is not configured for minor patches - (Control IDs: SHOULD(12.4.4.C.05[CID:3452]))', explanation: 'Provides automatic Patching in the Database', level: NagMessageLevel.WARN, rule: RDSAutomaticMinorVersionUpgradeEnabled, From 1cd2a667e137a2f27c702d12d135eeba68fd0395 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 08:02:48 +1200 Subject: [PATCH 55/85] Update test/rules/EC2.test.ts Co-authored-by: Arun Donti --- test/rules/EC2.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/rules/EC2.test.ts b/test/rules/EC2.test.ts index 264f2c39f9..b8fc301077 100644 --- a/test/rules/EC2.test.ts +++ b/test/rules/EC2.test.ts @@ -1253,7 +1253,7 @@ describe('EC2SecurityGroupOnlyTcp443: Security Groups should only allow TCP 443 }); test('tcp80 from 10/8', () => { - new CfnSecurityGroup(stack, 'rSecurityGroup2', { + new CfnSecurityGroup(stack, 'SecurityGroup2', { groupDescription: 'security group with tcp 443 ingress allowed', securityGroupIngress: [ { From def38c7a9913fce62b5404370f9627b0ad506834 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 08:03:16 +1200 Subject: [PATCH 56/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 6b8e2efec4..28b7418b4a 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -663,7 +663,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The Redshift cluster does not have encryption or audit logging enabled - (Control IDs: SHOULD 20.4.4.C.02[CID:4441], SHOULD 20.4.5.C.02[CID:4445], SHOULD 22.1.24.C.04[CID:4839])', + info: 'The Redshift cluster does not have encryption or audit logging enabled - (Control IDs: SHOULD(20.4.4.C.02[CID:4441], 20.4.5.C.02[CID:4445], 22.1.24.C.04[CID:4839]))', explanation: 'To protect data at rest, ensure that encryption is enabled for your Amazon Redshift clusters. You must also ensure that required configurations are deployed on Amazon Redshift clusters. The audit logging should be enabled to provide information about connections and user activities in the database.', level: NagMessageLevel.WARN, From f78c76f3bf3be19b230d94f0081ba3e384d54128 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 08:03:41 +1200 Subject: [PATCH 57/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 28b7418b4a..b1c9a121dc 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -672,7 +672,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The Redshift cluster does not have version upgrades enabled, automated snapshot retention periods enabled, and an explicit maintenance window configure - (Control IDs: MUST 12.4.4.C.02[CID:3449], SHOULD 12.4.4.C.06[CID:3453])', + info: 'The Redshift cluster does not have version upgrades enabled, automated snapshot retention periods enabled, and an explicit maintenance window configure - (Control IDs: SHOULD(12.4.4.C.06[CID:3453]), MUST(12.4.4.C.02[CID:3449]))', explanation: 'Ensure that Amazon Redshift clusters have the preferred settings for your organization. Specifically, that they have preferred maintenance windows and automated snapshot retention periods for the database. ', level: NagMessageLevel.ERROR, From 59c633f459d6d67fcb80e1916717a523a9433b40 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 08:04:15 +1200 Subject: [PATCH 58/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index b1c9a121dc..c683fea92c 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -681,7 +681,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'Redshift must not be made publically avaialble - (Control IDs: MUST 19.1.12.C.01[CID:3562], SHOULD 19.1.14.C.02[CID:3623], MUST 23.4.10.C.01[CID:7466])', + info: 'The Redshift cluster is publicly accessible - (Control IDs: SHOULD(19.1.14.C.02[CID:3623]), MUST(19.1.12.C.01[CID:3562], 23.4.10.C.01[CID:7466]))', explanation: 'Amazon Redshift clusters can contain sensitive information and principles and access control is required for such accounts.', level: NagMessageLevel.ERROR, From e510aced0dfb60de2d7f9633c41e43bd39b4eb52 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 08:04:47 +1200 Subject: [PATCH 59/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index c683fea92c..8a6404d468 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -690,7 +690,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The Redshift cluster must use TLS/SSL encryption. - (Control IDs: MUST 17.1.48.C.03[CID:2091], SHOULD 22.1.24.C.04[CID:4839])', + info: 'The Redshift cluster does not require TLS/SSL encryption - (Control IDs: SHOULD(22.1.24.C.04[CID:4839]), MUST(17.1.48.C.03[CID:2091])).', explanation: 'Ensure that your Amazon Redshift clusters require TLS/SSL encryption to connect to SQL clients. Because sensitive data can exist, enable encryption in transit to help protect that data.', level: NagMessageLevel.ERROR, From 093ac6fb31e989106f675c4ae2781549f789f140 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 08:05:14 +1200 Subject: [PATCH 60/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 8a6404d468..f737a9b1d8 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -706,7 +706,7 @@ export class NZISM36Checks extends NagPack { */ private checkS3(node: CfnResource): void { this.applyRule({ - info: 'The S3 bucket does not prohibit public access through bucket level settings - (Control IDs: SHOULD 22.1.24.C.03[CID:4838])', + info: 'The S3 bucket does not prohibit public access through bucket level settings - (Control IDs: SHOULD(22.1.24.C.03[CID:4838]))', explanation: 'Keep sensitive data safe from unauthorized remote users by preventing public access at the bucket level.', level: NagMessageLevel.WARN, From 6f01be55690d446e63317f13dc96ae98291f5ed8 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 08:05:44 +1200 Subject: [PATCH 61/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index f737a9b1d8..32dca5c751 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -714,7 +714,7 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - info: 'The S3 Bucket or bucket policy does not require requests to use SSL - (Control IDs: SHOULD 22.1.24.C.04[CID:4839])', + info: 'The S3 Bucket or bucket policy does not require requests to use SSL - (Control IDs: SHOULD(22.1.24.C.04[CID:4839]))', explanation: 'To help protect data in transit, ensure that your Amazon Simple Storage Service (Amazon S3) buckets require requests to use Secure Socket Layer (SSL). Because sensitive data can exist, enable encryption in transit to help protect that data.', level: NagMessageLevel.WARN, From 27354a3c108c5a5afc2cb542fb1b2898efe325ea Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 08:06:28 +1200 Subject: [PATCH 62/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 32dca5c751..28bceba875 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -731,7 +731,7 @@ export class NZISM36Checks extends NagPack { }); this.applyRule({ - info: 'The S3 Bucket does not prohibit public read access through its Block Public Access configurations and bucket ACLs - (Control IDs: SHOULD 22.1.24.C.03[CID:4838])', + info: 'The S3 Bucket does not prohibit public read access through its Block Public Access configurations and bucket ACLs - (Control IDs: SHOULD(22.1.24.C.03[CID:4838]))', explanation: 'The management of access should be consistent with the classification of the data.', level: NagMessageLevel.WARN, From a336a12a97339f056b1119e389f02c8c79c722e9 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 08:06:56 +1200 Subject: [PATCH 63/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 28bceba875..a1e3c77bc6 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -722,7 +722,7 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - info: 'The S3 Buckets does not have server access logs enabled - (Control IDs: MUST 22.1.26.C.01[CID:4849])', + info: 'The S3 Buckets does not have server access logs enabled - (Control IDs: MUST(22.1.26.C.01[CID:4849]))', explanation: 'Amazon Simple Storage Service (Amazon S3) server access logging provides a method to monitor the network for potential cybersecurity events. The events are monitored by capturing detailed records for the requests that are made to an Amazon S3 bucket. Each access log record provides details about a single access request. The details include the requester, bucket name, request time, request action, response status, and an error code, if relevant.', level: NagMessageLevel.ERROR, From 93eeb00465edd50144e3519b90f35c101e174a59 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 08:07:22 +1200 Subject: [PATCH 64/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index a1e3c77bc6..5b4e909c76 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -739,7 +739,7 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - info: 'The S3 Bucket does not prohibit public write access through its Block Public Access configurations and bucket ACLs - (Control IDs: SHOULD 22.1.24.C.03[CID:4838])', + info: 'The S3 Bucket does not prohibit public write access through its Block Public Access configurations and bucket ACLs - (Control IDs: SHOULD(22.1.24.C.03[CID:4838]))', explanation: 'The management of access should be consistent with the classification of the data.', level: NagMessageLevel.WARN, From e7565c4c92836b5829e0b83a463da462eb327c8f Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 08:07:48 +1200 Subject: [PATCH 65/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 5b4e909c76..36cfa7e56c 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -747,7 +747,7 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - info: 'The S3 Bucket does not have versioning enabled - (Control IDs: MUST 22.1.26.C.01[CID:4849])', + info: 'The S3 Bucket does not have versioning enabled - (Control IDs: MUST(22.1.26.C.01[CID:4849]))', explanation: 'Use versioning to preserve, retrieve, and restore every version of every object stored in your Amazon S3 bucket. Versioning helps you to easily recover from unintended user actions and application failures.', level: NagMessageLevel.ERROR, From fcefd94d6dc450c04f554b27f46b05a249abfc5d Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 08:08:21 +1200 Subject: [PATCH 66/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 36cfa7e56c..8b24c765d2 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -755,7 +755,7 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - info: 'The S3 Bucket is not encrypted with a KMS Key by default - (Control IDs: SHOULD 17.1.46.C.04[CID:2082])', + info: 'The S3 Bucket is not encrypted with a KMS Key by default - (Control IDs: SHOULD(17.1.46.C.04[CID:2082]))', explanation: 'Ensure that encryption is enabled for your Amazon Simple Storage Service (Amazon S3) buckets. Because sensitive data can exist at rest in an Amazon S3 bucket, enable encryption at rest to help protect that data.', level: NagMessageLevel.WARN, From 8bfabe4dbf6e04586596bd7849e919f917d7caf3 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 08:09:56 +1200 Subject: [PATCH 67/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 8b24c765d2..96d5aad32c 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -771,7 +771,7 @@ export class NZISM36Checks extends NagPack { */ private checkSageMaker(node: CfnResource) { this.applyRule({ - info: 'The SageMaker resource endpoint is not encrypted with a KMS key - (Control IDs: SHOULD 22.1.24.C.04[CID:4839])', + info: 'The SageMaker resource endpoint is not encrypted with a KMS key - (Control IDs: SHOULD(22.1.24.C.04[CID:4839]))', explanation: 'Because sensitive data can exist at rest in SageMaker endpoint, enable encryption at rest to help protect that data.', level: NagMessageLevel.WARN, From b70eb782a756e92cdaf29c1b8c7029fc66dfbcfa Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 08:10:20 +1200 Subject: [PATCH 68/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 96d5aad32c..650f3be62f 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -787,7 +787,7 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - info: 'The SageMaker notebook does not disable direct internet access - (Control IDs: MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466])', + info: 'The SageMaker notebook does not disable direct internet access - (Control IDs: MUST(19.1.12.C.01[CID:3562], 23.4.10.C.01[CID:7466]))', explanation: 'By preventing direct internet access, you can keep sensitive data from being accessed by unauthorized users.', level: NagMessageLevel.ERROR, From a00df65686f66ccc25545ae8ce7e8b8820bd5bde Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 08:10:40 +1200 Subject: [PATCH 69/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 650f3be62f..b35be930b7 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -803,7 +803,7 @@ export class NZISM36Checks extends NagPack { */ private checkSecretsManager(node: CfnResource): void { this.applyRule({ - info: 'The secret is not encrypted with a KMS Customer managed key - (Control IDs: SHOULD 22.1.24.C.04[CID:4839])', + info: 'The secret is not encrypted with a KMS Customer managed key - (Control IDs: SHOULD(22.1.24.C.04[CID:4839]))', explanation: 'To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for AWS Secrets Manager secrets. Because sensitive data can exist at rest in Secrets Manager secrets, enable encryption at rest to help protect that data.', level: NagMessageLevel.WARN, From f126582239d2d48d00ba2b195c860c7325a1c871 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 08:11:07 +1200 Subject: [PATCH 70/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index b35be930b7..90a80b9015 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -819,7 +819,7 @@ export class NZISM36Checks extends NagPack { */ private checkSNS(node: CfnResource): void { this.applyRule({ - info: 'The SNS topic does not have KMS encryption enabled - (Control IDs: SHOULD 22.1.24.C.04[CID:4839])', + info: 'The SNS topic does not have KMS encryption enabled - (Control IDs: SHOULD(22.1.24.C.04[CID:4839]))', explanation: 'To help protect data at rest, ensure that your Amazon Simple Notification Service (Amazon SNS) topics require encryption using AWS Key Management Service (AWS KMS) Because sensitive data can exist at rest in published messages, enable encryption at rest to help protect that data.', level: NagMessageLevel.WARN, From 75a437d83972dab89a0d4800d7eecba71f495b98 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 08:11:52 +1200 Subject: [PATCH 71/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 90a80b9015..4bda762e88 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -779,7 +779,7 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - info: 'The SageMaker notebook is not encrypted with a KMS key - (Control IDs: SHOULD 22.1.24.C.04[CID:4839])', + info: 'The SageMaker notebook is not encrypted with a KMS key - (Control IDs: SHOULD(22.1.24.C.04[CID:4839]))', explanation: 'Because sensitive data can exist at rest in SageMaker notebook, enable encryption at rest to help protect that data.', level: NagMessageLevel.WARN, From 060c2506aca5b0f7323be0e0e4d74b9b9ec8b698 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 08:12:22 +1200 Subject: [PATCH 72/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 4bda762e88..d72a710ef7 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -835,7 +835,7 @@ export class NZISM36Checks extends NagPack { */ private checkVPC(node: CfnResource): void { this.applyRule({ - info: 'The VPCs default security group allows inbound or outbound traffic - (Control IDs: MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466])', + info: 'The VPCs default security group allows inbound or outbound traffic - (Control IDs: MUST(19.1.12.C.01[CID:3562], 23.4.10.C.01[CID:7466]))', explanation: 'Amazon Elastic Compute Cloud (Amazon EC2) security groups can help in the management of network access by providing stateful filtering of ingress and egress network traffic to AWS resources. Restricting all the traffic on the default security group helps in restricting remote access to your AWS resources.', level: NagMessageLevel.ERROR, From caff052d9138cd6706fd8165a3f1eb087e1051a6 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 08:12:47 +1200 Subject: [PATCH 73/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index d72a710ef7..577b6e1712 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -843,7 +843,7 @@ export class NZISM36Checks extends NagPack { node: node, }); this.applyRule({ - info: 'The VPC does not have an associated Flow Log - (Control IDs: MUST 19.1.12.C.01[CID:3562], MUST 23.4.10.C.01[CID:7466])', + info: 'The VPC does not have an associated Flow Log - (Control IDs: MUST(19.1.12.C.01[CID:3562], 23.4.10.C.01[CID:7466]))', explanation: 'The VPC flow logs provide detailed records for information about the IP traffic going to and from network interfaces in your Amazon Virtual Private Cloud (Amazon VPC). By default, the flow log record includes values for the different components of the IP flow, including the source, destination, and protocol.', level: NagMessageLevel.ERROR, From cf727d3eda61e3d2b90212652bdcfc852569fd8f Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 08:13:13 +1200 Subject: [PATCH 74/85] Update src/packs/nzism-v36-1022-20.ts Co-authored-by: Arun Donti --- src/packs/nzism-v36-1022-20.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packs/nzism-v36-1022-20.ts b/src/packs/nzism-v36-1022-20.ts index 577b6e1712..ab74dd2db4 100644 --- a/src/packs/nzism-v36-1022-20.ts +++ b/src/packs/nzism-v36-1022-20.ts @@ -859,7 +859,7 @@ export class NZISM36Checks extends NagPack { */ private checkWAF(node: CfnResource): void { this.applyRule({ - info: 'The WAFv2 web ACL does not have logging enabled - (Control IDs: SHOULD 16.6.10.C.02[CID:2013], MUST 23.5.11.C.01[CID:7496])', + info: 'The WAFv2 web ACL does not have logging enabled - (Control IDs: SHOULD(16.6.10.C.02[CID:2013]), MUST(23.5.11.C.01[CID:7496]))', explanation: 'AWS WAF logging provides detailed information about the traffic that is analyzed by your web ACL. The logs record the time that AWS WAF received the request from your AWS resource, information about the request, and an action for the rule that each request matched.', level: NagMessageLevel.ERROR, From 845275add7e6f5ff3b93cb651650f6b8abc80a99 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 08:13:39 +1200 Subject: [PATCH 75/85] Update test/rules/CloudFront.test.ts Co-authored-by: Arun Donti --- test/rules/CloudFront.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/rules/CloudFront.test.ts b/test/rules/CloudFront.test.ts index fa26385c81..1f20f29098 100644 --- a/test/rules/CloudFront.test.ts +++ b/test/rules/CloudFront.test.ts @@ -405,7 +405,7 @@ describe('Amazon CloudFront', () => { // Non Compliance test('Noncompliance ', () => { - new Distribution(stack, 'rDistribution', { + new Distribution(stack, 'Distribution', { defaultBehavior: { origin: new S3Origin(new Bucket(stack, 'rOriginBucket')), }, From 24371d9e9abbf4579a9ffa7c10492447843231a5 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 08:14:07 +1200 Subject: [PATCH 76/85] Update test/rules/CloudFront.test.ts Co-authored-by: Arun Donti --- test/rules/CloudFront.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/rules/CloudFront.test.ts b/test/rules/CloudFront.test.ts index 1f20f29098..aa060a8f51 100644 --- a/test/rules/CloudFront.test.ts +++ b/test/rules/CloudFront.test.ts @@ -407,7 +407,7 @@ describe('Amazon CloudFront', () => { test('Noncompliance ', () => { new Distribution(stack, 'Distribution', { defaultBehavior: { - origin: new S3Origin(new Bucket(stack, 'rOriginBucket')), + origin: new S3Origin(new Bucket(stack, 'OriginBucket')), }, }); validateStack(stack, ruleId, TestType.NON_COMPLIANCE); From 0f256afc7b7d4ffcdae75b70460cb5c2b0af34e2 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 08:14:34 +1200 Subject: [PATCH 77/85] Update test/rules/CloudFront.test.ts Co-authored-by: Arun Donti --- test/rules/CloudFront.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/rules/CloudFront.test.ts b/test/rules/CloudFront.test.ts index aa060a8f51..7e14438a39 100644 --- a/test/rules/CloudFront.test.ts +++ b/test/rules/CloudFront.test.ts @@ -415,7 +415,7 @@ describe('Amazon CloudFront', () => { // Compliance test('Compliance', () => { - new Distribution(stack, 'rDistribution', { + new Distribution(stack, 'Distribution', { defaultBehavior: { origin: new S3Origin(new Bucket(stack, 'rOriginBucket')), }, From 734de96981bdc95b9f46189f4d1655a34a79ca70 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 08:15:01 +1200 Subject: [PATCH 78/85] Update test/rules/CloudFront.test.ts Co-authored-by: Arun Donti --- test/rules/CloudFront.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/rules/CloudFront.test.ts b/test/rules/CloudFront.test.ts index 7e14438a39..e4f70d7c7d 100644 --- a/test/rules/CloudFront.test.ts +++ b/test/rules/CloudFront.test.ts @@ -417,7 +417,7 @@ describe('Amazon CloudFront', () => { test('Compliance', () => { new Distribution(stack, 'Distribution', { defaultBehavior: { - origin: new S3Origin(new Bucket(stack, 'rOriginBucket')), + origin: new S3Origin(new Bucket(stack, 'OriginBucket')), }, defaultRootObject: 'index.html', }); From 83de113cf4b282d1ea1bca21f28055371fc101db Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 08:15:32 +1200 Subject: [PATCH 79/85] Update test/rules/EC2.test.ts Co-authored-by: Arun Donti --- test/rules/EC2.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/rules/EC2.test.ts b/test/rules/EC2.test.ts index b8fc301077..659075e2d0 100644 --- a/test/rules/EC2.test.ts +++ b/test/rules/EC2.test.ts @@ -1170,7 +1170,7 @@ describe('EC2SecurityGroupOnlyTcp443: Security Groups should only allow TCP 443 const ruleId = 'EC2SecurityGroupOnlyTcp443'; test('a non compliant ipv6 rule', () => { - new CfnSecurityGroup(stack, 'rSecurityGroup', { + new CfnSecurityGroup(stack, 'SecurityGroup', { groupDescription: 'security group tcp port 80 open on port 80', securityGroupIngress: [ { From eb664994c00d3731b585f358b868781ab498c682 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 08:16:06 +1200 Subject: [PATCH 80/85] Update test/rules/EC2.test.ts Co-authored-by: Arun Donti --- test/rules/EC2.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/rules/EC2.test.ts b/test/rules/EC2.test.ts index 659075e2d0..25409867f3 100644 --- a/test/rules/EC2.test.ts +++ b/test/rules/EC2.test.ts @@ -1184,7 +1184,7 @@ describe('EC2SecurityGroupOnlyTcp443: Security Groups should only allow TCP 443 }); test('a compliant ipv6 rule', () => { - new CfnSecurityGroup(stack, 'rSecurityGroup', { + new CfnSecurityGroup(stack, 'SecurityGroup', { groupDescription: 'ipv6 to non ::0/0', securityGroupIngress: [ { From 8c95f6d6c0b5eb516e7f2176c0f78b00fe126944 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 08:16:34 +1200 Subject: [PATCH 81/85] Update test/rules/EC2.test.ts Co-authored-by: Arun Donti --- test/rules/EC2.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/rules/EC2.test.ts b/test/rules/EC2.test.ts index 25409867f3..5ccd566ec0 100644 --- a/test/rules/EC2.test.ts +++ b/test/rules/EC2.test.ts @@ -1198,7 +1198,7 @@ describe('EC2SecurityGroupOnlyTcp443: Security Groups should only allow TCP 443 }); test('no specified port', () => { - new CfnSecurityGroup(stack, 'rSecurityGroup', { + new CfnSecurityGroup(stack, 'SecurityGroup', { groupDescription: 'security group tcp port 80 open', securityGroupIngress: [ { From 3bb29d775347ead1da57f99076fafa5243038f2f Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 08:17:03 +1200 Subject: [PATCH 82/85] Update test/rules/EC2.test.ts Co-authored-by: Arun Donti --- test/rules/EC2.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/rules/EC2.test.ts b/test/rules/EC2.test.ts index 5ccd566ec0..ca350c660f 100644 --- a/test/rules/EC2.test.ts +++ b/test/rules/EC2.test.ts @@ -1211,7 +1211,7 @@ describe('EC2SecurityGroupOnlyTcp443: Security Groups should only allow TCP 443 }); test('tcp port other than 443 from 0/0', () => { - new CfnSecurityGroup(stack, 'rSecurityGroup', { + new CfnSecurityGroup(stack, 'SecurityGroup', { groupDescription: 'security group tcp port 80 open', securityGroupIngress: [ { From d77c03c58cb4f5a04a5e9c7cd503dbd266f8daa4 Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 08:17:25 +1200 Subject: [PATCH 83/85] Update test/rules/EC2.test.ts Co-authored-by: Arun Donti --- test/rules/EC2.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/rules/EC2.test.ts b/test/rules/EC2.test.ts index ca350c660f..ba0331dc4e 100644 --- a/test/rules/EC2.test.ts +++ b/test/rules/EC2.test.ts @@ -1225,7 +1225,7 @@ describe('EC2SecurityGroupOnlyTcp443: Security Groups should only allow TCP 443 }); test('udp port from 0/0', () => { - new CfnSecurityGroup(stack, 'rSecurityGroup2', { + new CfnSecurityGroup(stack, 'SecurityGroup2', { groupDescription: 'security group with udp port 53', securityGroupIngress: [ { From c1c29a1d5ba57a400f2d3f0eef1bcb34d25e2b2b Mon Sep 17 00:00:00 2001 From: Andrew Date: Thu, 21 Sep 2023 08:17:45 +1200 Subject: [PATCH 84/85] Update test/rules/EC2.test.ts Co-authored-by: Arun Donti --- test/rules/EC2.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/rules/EC2.test.ts b/test/rules/EC2.test.ts index ba0331dc4e..1b2d4139a4 100644 --- a/test/rules/EC2.test.ts +++ b/test/rules/EC2.test.ts @@ -1239,7 +1239,7 @@ describe('EC2SecurityGroupOnlyTcp443: Security Groups should only allow TCP 443 }); test('ipv4 tcp443 from anywhere', () => { - new CfnSecurityGroup(stack, 'rSecurityGroup2', { + new CfnSecurityGroup(stack, 'SecurityGroup2', { groupDescription: 'security group with tcp 443 ingress allowed', securityGroupIngress: [ { From c6abbb89d6fc17da4711d6b73bf240b1ab85adc7 Mon Sep 17 00:00:00 2001 From: mrpackethead Date: Sun, 1 Oct 2023 00:04:38 +0000 Subject: [PATCH 85/85] fix: missing SHOULD/MUST statements in README.md --- RULES.md | 136 ++++++++++++++++++++++++++++--------------------------- 1 file changed, 69 insertions(+), 67 deletions(-) diff --git a/RULES.md b/RULES.md index 23233eb128..6800ecb609 100644 --- a/RULES.md +++ b/RULES.md @@ -699,78 +699,80 @@ Unimplemented rules from the AWS PCI DSS 3.2.1 Conformance Pack. The [Operational Best Practices for NZISM 3.6](https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nzism.html) Conformance pack offers a collection of AWS Config Rules that enable customers to align to a subset of the Zealand Government Communications Security Bureau (GCSB) Information Security Manual (NZISM) standards. NZISM 3.6 NagPack implements many of the checks within the conformance pack. +Some tests in this pack map to multiple NZISM controls. For tests which have at least one control that has a 'MUST' requirement, the test will return an error if not compliant. For tests which only have 'SHOULD' requirments, the pack will raise warnings if not compliant. + ### Errors -| Rule ID | Cause | Explanation | Relevent Control ID(s) | -| ------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------- | -| NZISM3.6-APIGWExecutionLoggingEnabled | The API Gateway stage does not have execution logging enabled for all methods. | API Gateway logging displays detailed views of users who accessed the API and the way they accessed the API. This insight enables visibility of user activities. | 16.6.10.C.02[CID:2013], 23.5.11.C.01[CID:7496] | -| NZISM3.6-CloudFrontDistributionAccessLogging | The CloudFront distribution does not have access logging enabled. | Enabling access logs helps operators track all viewer requests for the content delivered through the Content Delivery Network | 16.6.10.C.02[CID:2013], 23.5.11.C.01[CID:7496] | -| NZISM3.6-CloudFrontDistributionWAFIntegration | The CloudFront distribution requires integration with WAF. | The Web Application Firewall can help protect against application-layer attacks that can compromise the security of the system or place unnecessary load on them | 19.1.12.C.01[CID:3562] | -| NZISM3.6-CloudFrontDistributionHttpsViewerNoOutdatedSSL | The CloudFront distribution allows for SSLv3 or TLSv1 for HTTPS viewer connections. | Vulnerabilities have been and continue to be discovered in the deprecated SSL and TLS protocols. Help protect viewer connections by specifying a viewer certificate that enforces a minimum of TLSv1.1 or TLSv1.2 in the security policy. Distributions that use the default CloudFront viewer certificate or use vip for the SslSupportMethod are non-compliant with this rule, as the minimum security policy is set to TLSv1 regardless of the specified MinimumProtocolVersion | 16.1.37.C.01[CID:1847] | -| NZISM3.6-CloudTrailCloudWatchLogsEnabled | The trail does not have CloudWatch logs enabled. | Use Amazon CloudWatch to centrally collect and manage log event activity. Inclusion of AWS CloudTrail data provides details of API call activity within your AWS account | 16.6.6.C.02[CID:1998] 16.4.35.C.02[CID:6860] | -| NZISM3.6-CloudTrailLogFileValidationEnabled | The trail does not have validation enabled. | Utilize AWS CloudTrail log file validation to check the integrity of CloudTrail logs. Log file validation helps determine if a log file was modified or deleted or unchanged after CloudTrail delivered it. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection | 16.6.12.C.01[CID:2022], 23.5.11.C.01[CID:7496] | -| NZISM3.6-CloudWatchLogGroupRetentionPeriod | The CloudWatch Log Group does not have an explicit retention period configured. | Ensure a minimum duration of event log data is retained for your log groups to help with troubleshooting and forensics investigations. The lack of available past event log data makes it difficult to reconstruct and identify potentially malicious events | 16.6.6.C.02[CID:1998], 16.6.13.C.01[CID:2028] | -| NZISM3.6-CloudWatchLogGroupEncrypted | The CloudWatch Log Group is not encrypted with an AWS KMS key. | To help protect sensitive data at rest, ensure encryption is enabled for your Amazon CloudWatch Log Groups | 16.6.12.C.01[CID:2022], 23.5.11.C.01[CID:7496] | -| NZISM3.6-DMSReplicationNotPublic | The DMS replication instance is public. | DMS replication instances can contain sensitive information and access control is required for such accounts | 19.1.12.C.01[CID:3562], 23.4.10.C.01[CID:7466] | -| NZISM3.6-DynamoDBAutoScalingEnabled | The provisioned capacity DynamoDB table does not have Auto Scaling enabled on its indexes. | Amazon DynamoDB auto scaling uses the AWS Application Auto Scaling service to adjust provisioned throughput capacity that automatically responds to actual traffic patterns. This enables a table or a global secondary index to increase its provisioned read/write capacity to handle sudden increases in traffic, without throttling | 22.1.23.C.01[CID:4829] | -| NZISM3.6-DynamoDBInBackupPlan | The DynamoDB table is not in an AWS Backup plan. | To help with data back-up processes, ensure your Amazon DynamoDB tables are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements | 22.1.26.C.01[CID:4849] | -| NZISM3.6-DynamoDBPITREnabled | DynamoDB table does not have Point-in-time Recovery enabled. | The recovery maintains continuous backups of your table for the last 35 days | 22.1.26.C.01[CID:4849] | -| NZISM3.6-EC2EBSInBackupPlan | The EC2 instance is associated with a public IP address. | Manage access to the AWS Cloud by ensuring Amazon Elastic Compute Cloud (Amazon EC2) instances cannot be publicly accessed. Amazon EC2 instances can contain sensitive information and access control is required for such accounts | 23.4.10.C.01[CID:7466] | -| NZISM3.6-EC2InstancesInVPC | The EC2 instance is not within a VPC. | Deploy Amazon Elastic Compute Cloud (Amazon EC2) instances within an Amazon Virtual Private Cloud (Amazon VPC) to enable secure communication between an instance and other services within the amazon VPC, without requiring an internet gateway, NAT device, or VPN connection. All traffic remains securely within the AWS Cloud. Because of their logical isolation, domains that reside within anAmazon VPC have an extra layer of security when compared to domains that use public endpoints. Assign Amazon EC2 instances to an Amazon VPC to properly manage access | 19.1.12.C.01[CID:3562], 23.4.10.C.01[CID:7466] | -| NZISM3.6-EC2IMDSv2 | THe Ec2 Instance does not use IMDSv2. | IMDSv2 adds session-based controls to http requests to restrict access to the Instance Meta Data Service | 19.1.12.C.01[CID:3562], 23.4.10.C.01[CID:7466] | -| NZISM3.6-EFSInBackupPlan | The EFS is not in an AWS Backup plan. | To help with data back-up processes, ensure your Amazon Elastic File System (Amazon EFS) file systems are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements | MUST 22.1.26.C.01[CID:4849] | -| NZISM3.6-EFSEncrypted | The EFS does not have encryption at rest enabled. | Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elastic File System (EFS) | 17.1.46.C.04[CID:2082], 22.1.24.C.04[CID:4839] | -| NZISM3.6-ElastiCacheRedisClusterAutomaticBackup | The ElastiCache Redis cluster does not retain automatic backups for at least 15 day. | Automatic backups can help guard against data loss. If a failure occurs, you can create a new cluster, which restores your data from the most recent backup | 22.1.26.C.01[CID:4849] | -| NZISM3.6-ALBHttpToHttpsRedirection | The ALBs HTTP listeners are not configured to redirect to HTTPS. | To help protect data in transit, ensure that your Application Load Balancer automatically redirects unencrypted HTTP requests to HTTPS. Because sensitive data can exist, enable encryption in transit to help protect that data | 16.1.37.C.01[CID:1847], 17.1.48.C.03[CID:2091] | -| NZISM3.6-ALBWAFEnabled | The ALB is not associated with AWS WAFv2 web ACL. | A WAF helps to protect your web applications or APIs against common web exploits. These web exploits may affect availability, compromise security, or consume excessive resources within your environment | 19.1.12.C.01[CID:3562], 20.3.7.C.02[CID:4333], 23.4.10.C.01[CID:7466] | -| NZISM3.6-ELBCrossZoneLoadBalancingEnabled | Load Balancers are not cross zone enabled. | Enable cross-zone load balancing for your Classic Load Balancers (CLBs) to help maintain adequate capacity and availability. The cross-zone load balancing reduces the need to maintain equivalent numbers of instances in each enabled availability zone. It also improves your application's ability to handle the loss of one or more instances | 22.1.23.C.01[CID:4829] | -| NZISM3.6-ELBLoggingEnabled | The ELB does not have logging enabled. | Elastic Load Balancing activity is a central point of communication within an environment. Ensure ELB logging is enabled. The collected data provides detailed information about requests sent to The ELB. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses | 16.6.10.C.02[CID:2013], 23.5.11.C.01[CID:7496] | -| NZISM3.6-ELBTlsHttpsListenersOnly | The Classic Load Balancer does not restrict its listeners to only the SSL and HTTPS protocol. | Ensure that your Classic Load Balancers (CLBs) are configured with SSL or HTTPS listeners. Because sensitive data can exist, enable encryption in transit to help protect that data | 14.5.8.C.01[CID:1667], 16.1.37.C.01[CID:1847], 17.1.48.C.03[CID:2091], 22.1.24.C.04[CID:4839] | -| NZISM3.6-lambda-function-public-access-prohibited | Lambda function policies should not be publically invokable. | | 19.1.12.C.01[CID:3562], 23.4.10.C.01[CID:7466] | -| NZISM3.6-OpenSearchInVPCOnly | The OpenSearch Service domain is not running within a VPC. | VPCs help secure your AWS resources and provide an extra layer of protection | 19.1.12.C.01[CID:3562], 19.1.14.C.02[CID:3623] | -| NZISM3.6-OpenSearchNodeToNodeEncryption | The OpenSearch Service domain does not have node-to-node encryption enabled. | Because sensitive data can exist, enable encryption in transit to help protect that data within your Amazon OpenSearch Service (OpenSearch Service) domains | 16.1.37.C.01[CID:1847], 22.1.24.C.04[CID:4839] | -| NZISM3.6-RDSInstanceDeletionProtectionEnabled | The RDS DB Instance or Aurora Cluster does not have deletion protection enabled. | Ensure Amazon Relational Database Service (Amazon RDS) instances and clusters have deletion protection enabled. Use deletion protection to prevent your Amazon RDS DB instances and clusters from being accidentally or maliciously deleted, which can lead to loss of availability for your application | 22.1.26.C.01[CID:4849] | -| NZISM3.6-RDSMultiAZSupport | The RDS DB Instance does not have multi-AZ support. | Ensure Amazon Relational Database Service (Amazon RDS) instances and clusters have deletion protection enabled. Use deletion protection to prevent your Amazon RDS DB instances and clusters from being accidentally or maliciously deleted, which can lead to loss of availability for your applications | 22.1.23.C.01[CID:4829] | -| NZISM3.6-RDSInBackupPlan | The RDS DB instance is not in an AWS Backup plan. | To help with data back-up processes, ensure your Amazon Relational Database Service (Amazon RDS) instances are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements | 22.1.26.C.01[CID:4849] | -| NZISM3.6-RDSInstancePublicAccess | The RDS DB Instance allows public access. | Amazon RDS database instances can contain sensitive information, and principles and access control is required for such accounts | 19.1.12.C.01[CID:3562], 19.1.14.C.02[CID:3623], 23.4.10.C.01[CID:7466] | -| NZISM3.6-RedshiftBackupEnabled | The Redshift cluster does not have automated snapshots enabled or the retention period is not between 1 and 35 days. | To help with data back-up processes, ensure your Amazon Redshift clusters have automated snapshots. When automated snapshots are enabled for a cluster, Redshift periodically takes snapshots of that cluster. By default, Redshift takes a snapshot every eight hours or every 5 GB per node of data changes, or whichever comes first | 22.1.26.C.01[CID:4849] | -| NZISM3.6-RedshiftClusterMaintenanceSettings | The Redshift cluster does not have version upgrades enabled, automated snapshot retention periods enabled, and an explicit maintenance window configured. | Ensure that Amazon Redshift clusters have the preferred settings for your organization. Specifically, that they have preferred maintenance windows and automated snapshot retention periods for the database | 12.4.4.C.02[CID:3449], 12.4.4.C.06[CID:3453] | -| NZISM3.6-RedshiftClusterPublicAccess | Redshift must not be made publically avaialble. | Amazon Redshift clusters can contain sensitive information and principles and access control is required for such accounts | 19.1.12.C.01[CID:3562], 19.1.14.C.02[CID:3623], 23.4.10.C.01[CID:7466] | -| NZISM3.6-RedshiftRequireTlsSSL | The Redshift cluster must use TLS/SSL encryption. | Ensure that your Amazon Redshift clusters require TLS/SSL encryption to connect to SQL clients. Because sensitive data can exist, enable encryption in transit to help protect that data | 17.1.48.C.03[CID:2091], 22.1.24.C.04[CID:4839] | -| NZISM3.6-S3BucketLoggingEnabled | The S3 Buckets does not have server access logs enable. | Amazon Simple Storage Service (Amazon S3) server access logging provides a method to monitor the network for potential cybersecurity events. The events are monitored by capturing detailed records for the requests that are made to an Amazon S3 bucket. Each access log record provides details about a single access request. The details include the requester, bucket name, request time, request action, response status, and an error code, if relevant | 22.1.26.C.01[CID:4849] | -| NZISM3.6-S3BucketVersioningEnabled | The S3 Bucket does not have versioning enable. | Use versioning to preserve, retrieve, and restore every version of every object stored in your Amazon S3 bucket. Versioning helps you to easily recover from unintended user actions and application failures | 22.1.26.C.01[CID:4849] | -| NZISM3.6-SageMakerNotebookNoDirectInternetAccess | The SageMaker notebook does not disable direct internet access. | By preventing direct internet access, you can keep sensitive data from being accessed by unauthorized users | 19.1.12.C.01[CID:3562], 23.4.10.C.01[CID:7466] | -| NZISM3.6-VPCDefaultSecurityGroupClosed | The VPC does not have an associated Flow Log. | The VPC flow logs provide detailed records for information about the IP traffic going to and from network interfaces in your Amazon | -| NZSISM3.6-VPCFlowLogs | VPC does not have an Assocated Flow Log. | Enable a Flow Log for the VPC | 19.1.12.C.01[CID:3562], 23.4.10.C.01[CID:7466] | -| NZISM3.6-WAFv2LoggingEnabled | The WAFv2 web ACL does not have logging enabled. | AWS WAF logging provides detailed information about the traffic that is analyzed by your web ACL. The logs record the time that AWS WAF received the request from your AWS resource, information about the request, and an action for the rule that each request matched. | [CID:2013], 23.5.11.C.01[CID:7496] | +| Rule ID | Cause | Explanation | Relevent Control ID(s) | +| ------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | +| NZISM3.6-APIGWExecutionLoggingEnabled | The API Gateway stage does not have execution logging enabled for all methods. | API Gateway logging displays detailed views of users who accessed the API and the way they accessed the API. This insight enables visibility of user activities. | Control IDs: SHOULD(16.6.10.C.02[CID:2013]), MUST(23.5.11.C.01[CID:7496]) | +| NZISM3.6-CloudFrontDistributionAccessLogging | The CloudFront distribution does not have access logging enabled. | Enabling access logs helps operators track all viewer requests for the content delivered through the Content Delivery Network | Control IDs: SHOULD(16.6.10.C.02[CID:2013]), MUST(23.5.11.C.01[CID:7496]) | +| NZISM3.6-CloudFrontDistributionWAFIntegration | The CloudFront distribution requires integration with WAF. | The Web Application Firewall can help protect against application-layer attacks that can compromise the security of the system or place unnecessary load on them | Control IDs: MUST(19.1.12.C.01[CID:3562]) | +| NZISM3.6-CloudFrontDistributionHttpsViewerNoOutdatedSSL | The CloudFront distribution allows for SSLv3 or TLSv1 for HTTPS viewer connections. | Vulnerabilities have been and continue to be discovered in the deprecated SSL and TLS protocols. Help protect viewer connections by specifying a viewer certificate that enforces a minimum of TLSv1.1 or TLSv1.2 in the security policy. Distributions that use the default CloudFront viewer certificate or use vip for the SslSupportMethod are non-compliant with this rule, as the minimum security policy is set to TLSv1 regardless of the specified MinimumProtocolVersion | Control IDs: MUST(16.1.37.C.01[CID:1847]) | +| NZISM3.6-CloudTrailCloudWatchLogsEnabled | The trail does not have CloudWatch logs enabled. | Use Amazon CloudWatch to centrally collect and manage log event activity. Inclusion of AWS CloudTrail data provides details of API call activity within your AWS account | Control IDs: SHOULD(16.6.6.C.02[CID:1998]), MUST(16.4.35.C.02[CID:6860]) | +| NZISM3.6-CloudTrailLogFileValidationEnabled | The trail does not have validation enabled. | Utilize AWS CloudTrail log file validation to check the integrity of CloudTrail logs. Log file validation helps determine if a log file was modified or deleted or unchanged after CloudTrail delivered it. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection | Control IDs: MUST(16.6.12.C.01[CID:2022], 23.5.11.C.01[CID:7496]) | +| NZISM3.6-CloudWatchLogGroupRetentionPeriod | The CloudWatch Log Group does not have an explicit retention period configured. | Ensure a minimum duration of event log data is retained for your log groups to help with troubleshooting and forensics investigations. The lack of available past event log data makes it difficult to reconstruct and identify potentially malicious events | Control IDs: SHOULD(16.6.6.C.02[CID:1998]), MUST(16.6.13.C.01[CID:2028]) | +| NZISM3.6-CloudWatchLogGroupEncrypted | The CloudWatch Log Group is not encrypted with an AWS KMS key. | To help protect sensitive data at rest, ensure encryption is enabled for your Amazon CloudWatch Log Groups | Control IDs: MUST(16.6.12.C.01[CID:2022], 23.5.11.C.01[CID:7496]) | +| NZISM3.6-DMSReplicationNotPublic | The DMS replication instance is public. | DMS replication instances can contain sensitive information and access control is required for such accounts | Control IDs: MUST(19.1.12.C.01[CID:3562], 23.4.10.C.01[CID:7466]) | +| NZISM3.6-DynamoDBAutoScalingEnabled | The provisioned capacity DynamoDB table does not have Auto Scaling enabled on its indexes. | Amazon DynamoDB auto scaling uses the AWS Application Auto Scaling service to adjust provisioned throughput capacity that automatically responds to actual traffic patterns. This enables a table or a global secondary index to increase its provisioned read/write capacity to handle sudden increases in traffic, without throttling | Control IDs: MUST(22.1.23.C.01[CID:4829] | +| NZISM3.6-DynamoDBInBackupPlan | The DynamoDB table is not in an AWS Backup plan. | To help with data back-up processes, ensure your Amazon DynamoDB tables are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements | Control IDs: MUST(22.1.26.C.01[CID:4849]) | +| NZISM3.6-DynamoDBPITREnabled | DynamoDB table does not have Point-in-time Recovery enabled. | The recovery maintains continuous backups of your table for the last 35 days | Control IDs: MUST(22.1.26.C.01[CID:4849]) | +| NZISM3.6-EC2EBSInBackupPlan | The EC2 instance is associated with a public IP address. | Manage access to the AWS Cloud by ensuring Amazon Elastic Compute Cloud (Amazon EC2) instances cannot be publicly accessed. Amazon EC2 instances can contain sensitive information and access control is required for such accounts | Control IDs: MUST(19.1.12.C.01[CID:3562], 23.4.10.C.01[CID:7466]) | +| NZISM3.6-EC2InstancesInVPC | The EC2 instance is not within a VPC. | Deploy Amazon Elastic Compute Cloud (Amazon EC2) instances within an Amazon Virtual Private Cloud (Amazon VPC) to enable secure communication between an instance and other services within the amazon VPC, without requiring an internet gateway, NAT device, or VPN connection. All traffic remains securely within the AWS Cloud. Because of their logical isolation, domains that reside within anAmazon VPC have an extra layer of security when compared to domains that use public endpoints. Assign Amazon EC2 instances to an Amazon VPC to properly manage access | Control IDs: MUST(19.1.12.C.01[CID:3562], 23.4.10.C.01[CID:7466]) | +| NZISM3.6-EC2IMDSv2 | THe Ec2 Instance does not use IMDSv2. | IMDSv2 adds session-based controls to http requests to restrict access to the Instance Meta Data Service | Control IDs: MUST(19.1.12.C.01[CID:3562], 23.4.10.C.01[CID:7466]) | +| NZISM3.6-EFSInBackupPlan | The EFS is not in an AWS Backup plan. | To help with data back-up processes, ensure your Amazon Elastic File System (Amazon EFS) file systems are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements | Control IDs: MUST(22.1.26.C.01[CID:4849]) | +| NZISM3.6-EFSEncrypted | The EFS does not have encryption at rest enabled. | Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elastic File System (EFS) | Control IDs: SHOULD(17.1.46.C.04[CID:2082], 22.1.24.C.04[CID:4839]) | +| NZISM3.6-ElastiCacheRedisClusterAutomaticBackup | The ElastiCache Redis cluster does not retain automatic backups for at least 15 day. | Automatic backups can help guard against data loss. If a failure occurs, you can create a new cluster, which restores your data from the most recent backup | Control IDs: MUST(22.1.26.C.01[CID:4849]) | +| NZISM3.6-ALBHttpToHttpsRedirection | The ALBs HTTP listeners are not configured to redirect to HTTPS. | To help protect data in transit, ensure that your Application Load Balancer automatically redirects unencrypted HTTP requests to HTTPS. Because sensitive data can exist, enable encryption in transit to help protect that data | Control IDs: MUST(16.1.37.C.01[CID:1847], 17.1.48.C.03[CID:2091]) | +| NZISM3.6-ALBWAFEnabled | The ALB is not associated with AWS WAFv2 web ACL. | A WAF helps to protect your web applications or APIs against common web exploits. These web exploits may affect availability, compromise security, or consume excessive resources within your environment | Control IDs: SHOULD(20.3.7.C.02[CID:4333]), MUST(19.1.12.C.01[CID:3562], 23.4.10.C.01[CID:7466]) | +| NZISM3.6-ELBCrossZoneLoadBalancingEnabled | Load Balancers are not cross zone enabled. | Enable cross-zone load balancing for your Classic Load Balancers (CLBs) to help maintain adequate capacity and availability. The cross-zone load balancing reduces the need to maintain equivalent numbers of instances in each enabled availability zone. It also improves your application's ability to handle the loss of one or more instances | Control IDs: MUST(22.1.23.C.01[CID:4829])] | +| NZISM3.6-ELBLoggingEnabled | The ELB does not have logging enabled. | Elastic Load Balancing activity is a central point of communication within an environment. Ensure ELB logging is enabled. The collected data provides detailed information about requests sent to The ELB. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses | Control IDs: SHOULD(16.6.10.C.02[CID:2013]), MUST(23.5.11.C.01[CID:7496]) | +| NZISM3.6-ELBTlsHttpsListenersOnly | The Classic Load Balancer does not restrict its listeners to only the SSL and HTTPS protocol. | Ensure that your Classic Load Balancers (CLBs) are configured with SSL or HTTPS listeners. Because sensitive data can exist, enable encryption in transit to help protect that data | 14.5.8.C.01(Control IDs: SHOULD(14.5.8.C.01[CID:1667], 22.1.24.C.04[CID:4839])), MUST(16.1.37.C.01[CID:1847], 17.1.48.C.03[CID:2091]) | +| NZISM3.6-lambda-function-public-access-prohibited | Lambda function policies should not be publically invokable. | | Control IDs: MUST(19.1.12.C.01[CID:3562], 23.4.10.C.01[CID:7466]) | +| NZISM3.6-OpenSearchInVPCOnly | The OpenSearch Service domain is not running within a VPC. | VPCs help secure your AWS resources and provide an extra layer of protection | Control IDs: SHOULD(19.1.14.C.02[CID:3623]), MUST(19.1.12.C.01[CID:3562]) | +| NZISM3.6-OpenSearchNodeToNodeEncryption | The OpenSearch Service domain does not have node-to-node encryption enabled. | Because sensitive data can exist, enable encryption in transit to help protect that data within your Amazon OpenSearch Service (OpenSearch Service) domains | Control IDs: SHOULD(22.1.24.C.04[CID:4839]), MUST(16.1.37.C.01[CID:1847]) | +| NZISM3.6-RDSInstanceDeletionProtectionEnabled | The RDS DB Instance or Aurora Cluster does not have deletion protection enabled. | Ensure Amazon Relational Database Service (Amazon RDS) instances and clusters have deletion protection enabled. Use deletion protection to prevent your Amazon RDS DB instances and clusters from being accidentally or maliciously deleted, which can lead to loss of availability for your application | Control IDs: MUST(22.1.26.C.01[CID:4849]) | +| NZISM3.6-RDSMultiAZSupport | The RDS DB Instance does not have multi-AZ support. | Ensure Amazon Relational Database Service (Amazon RDS) instances and clusters have deletion protection enabled. Use deletion protection to prevent your Amazon RDS DB instances and clusters from being accidentally or maliciously deleted, which can lead to loss of availability for your applications | Control IDs: MUST(22.1.23.C.01[CID:4829]) | +| NZISM3.6-RDSInBackupPlan | The RDS DB instance is not in an AWS Backup plan. | To help with data back-up processes, ensure your Amazon Relational Database Service (Amazon RDS) instances are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements | Control IDs: MUST(22.1.26.C.01[CID:4849]) | +| NZISM3.6-RDSInstancePublicAccess | The RDS DB Instance allows public access. | Amazon RDS database instances can contain sensitive information, and principles and access control is required for such accounts | Control IDs: SHOULD(19.1.14.C.02[CID:3623]), MUST(19.1.12.C.01[CID:3562], 23.4.10.C.01[CID:7466]) | +| NZISM3.6-RedshiftBackupEnabled | The Redshift cluster does not have automated snapshots enabled or the retention period is not between 1 and 35 days. | To help with data back-up processes, ensure your Amazon Redshift clusters have automated snapshots. When automated snapshots are enabled for a cluster, Redshift periodically takes snapshots of that cluster. By default, Redshift takes a snapshot every eight hours or every 5 GB per node of data changes, or whichever comes first | Control IDs: MUST(22.1.26.C.01[CID:4849]) | +| NZISM3.6-RedshiftClusterMaintenanceSettings | The Redshift cluster does not have version upgrades enabled, automated snapshot retention periods enabled, and an explicit maintenance window configured. | Ensure that Amazon Redshift clusters have the preferred settings for your organization. Specifically, that they have preferred maintenance windows and automated snapshot retention periods for the database | SHOULD(12.4.4.C.06[CID:3453]), MUST(12.4.4.C.02[CID:3449]) | +| NZISM3.6-RedshiftClusterPublicAccess | Redshift must not be made publically avaialble. | Amazon Redshift clusters can contain sensitive information and principles and access control is required for such accounts | Control IDs: SHOULD(19.1.14.C.02[CID:3623]), MUST(19.1.12.C.01[CID:3562], 23.4.10.C.01[CID:7466]) | +| NZISM3.6-RedshiftRequireTlsSSL | The Redshift cluster must use TLS/SSL encryption. | Ensure that your Amazon Redshift clusters require TLS/SSL encryption to connect to SQL clients. Because sensitive data can exist, enable encryption in transit to help protect that data | Control IDs: SHOULD(22.1.24.C.04[CID:4839]), MUST(17.1.48.C.03[CID:2091]) | +| NZISM3.6-S3BucketLoggingEnabled | The S3 Buckets does not have server access logs enable. | Amazon Simple Storage Service (Amazon S3) server access logging provides a method to monitor the network for potential cybersecurity events. The events are monitored by capturing detailed records for the requests that are made to an Amazon S3 bucket. Each access log record provides details about a single access request. The details include the requester, bucket name, request time, request action, response status, and an error code, if relevant | Control IDs: MUST(22.1.26.C.01[CID:4849]) | +| NZISM3.6-S3BucketVersioningEnabled | The S3 Bucket does not have versioning enable. | Use versioning to preserve, retrieve, and restore every version of every object stored in your Amazon S3 bucket. Versioning helps you to easily recover from unintended user actions and application failures | Control IDs: MUST(22.1.26.C.01[CID:4849]) | +| NZISM3.6-SageMakerNotebookNoDirectInternetAccess | The SageMaker notebook does not disable direct internet access. | By preventing direct internet access, you can keep sensitive data from being accessed by unauthorized users | Control IDs: MUST(19.1.12.C.01[CID:3562], 23.4.10.C.01[CID:7466]) | +| NZISM3.6-VPCDefaultSecurityGroupClosed | The VPC does not have an associated Flow Log. | The VPC flow logs provide detailed records for information about the IP traffic going to and from network interfaces in your Amazon | Control IDs: MUST(19.1.12.C.01[CID:3562], 23.4.10.C.01[CID:7466]) | +| NZSISM3.6-VPCFlowLogs | VPC does not have an Assocated Flow Log. | Enable a Flow Log for the VPC | Control IDs: MUST(19.1.12.C.01[CID:3562], 23.4.10.C.01[CID:7466]) | +| NZISM3.6-RDSLoggingEnabled | The non-Aurora RDS DB instance or Aurora cluster does not have all CloudWatch log types exported. | | Control IDs: SHOULD(16.6.10.C.02[CID:2013], 20.4.4.C.02[CID:4441], 20.4.5.C.02[CID:4445]), MUST(23.5.11.C.01[CID:7496]) | +| NZISM3.6-WAFv2LoggingEnabled | The WAFv2 web ACL does not have logging enabled. | AWS WAF logging provides detailed information about the traffic that is analyzed by your web ACL. The logs record the time that AWS WAF received the request from your AWS resource, information about the request, and an action for the rule that each request matched. | Control IDs: SHOULD(16.6.10.C.02[CID:2013]), MUST(23.5.11.C.01[CID:7496]) | ### Warnings. -| Rule ID | Cause | Explanation | Relevent Control ID(s) | -| ------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------- | -| NZISM3.6-CloudFrontDistributionAccessLogging | The CloudFront distribution does not have access logging enabled. | Enabling access logs helps operators track all viewer requests for the content delivered through the Content Delivery Network. | 16.6.10.C.02[CID:2013], 23.5.11.C.01[CID:7496] | -| NZISM3.6-CloudTrailEncryptionEnabled | The trail does not have encryption enabled. | Because sensitive data may exist and to help protect data at rest, ensure encryption is enabled for your AWS CloudTrail trails | 17.1.46.C.04[CID:2082] | -| NZISM3.6-CloudfrontDefaultRootObjectConfigured | The Cloudfront distribution requires a default object. | Specifying a default root object lets you avoid exposing the contents of your distribution | 14.5.6.C.01[CID:1661] | -| NZISM3.6-EC2EBSVolumeEncrypted | The EBS volume has encryption disabled. | With EBS encryption, you aren not required to build, maintain, and secure your own key management infrastructure. EBS encryption uses KMS keys when creating encrypted volumes and snapshots. This helps protect data at rest. | 17.1.46.C.04[CID:2082], 22.1.24.C.04[CID:4839 | -| NZISM3.6-EC2RestrictedSSH | The Security Group allows unrestricted SSH access. | Not allowing ingress (or remote) traffic from 0.0.0.0/0 or ::/0 to port 22 on your resources helps to restrict remote access | 17.5.8.C.02[CID:2726] | -| NZISM3.6-ECSTaskDefinitionUserForHostMode | The ECS task definition is configured for host networking and has at least one container with definitions with privileged set to false or empty or user set to root or empty. | If a task definition has elevated privileges it is because you have specifically opted-in to those configurations. This rule checks for unexpected privilege escalation when a task definition has host networking enabled but the customer has not opted-in to elevated privileges | 14.1.8.C.01[CID:1149] | -| NZISM3.6-ElasticBeanstalkManagedUpdatesEnabled | The Elastic Beanstalk environment does not have enhanced health reporting enabled. | Enabling managed platform updates for an Amazon Elastic Beanstalk environment ensures that the latest available platform fixes, updates, and features for the environment are installed. Keeping up to date with patch installation is a best practice in securing systems | 12.4.4.C.05[CID:3452] | -| NZISM3.6-IAMPolicyNoStatementsWithAdminAccess | The IAM policy grants admin access, meaning the policy allows a principal to perform all actions on all resources. | AWS Identity and Access Management (IAM) can help you incorporate the principles of least privilege and separation of duties with access permissions and authorizations, by ensuring that IAM groups have at least one IAM user. Placing IAM users in groups based on their associated permissions or job function is one way to incorporate least privilege | 16.3.5.C.02[CID:1946] | -| NZISM3.6-KMSBackingKeyRotationEnabled | The KMS Symmetric key does not have automatic key rotation enabled. | Enable key rotation to ensure that keys are rotated once they have reached the end of their crypto period | 17.9.25.C.01[CID:3021] | -| NZISM3.6-OpenSearchEncryptedAtRest | The OpenSearch Service domain does not have encryption at rest enabled. | Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon OpenSearch Service (OpenSearch Service) domains | 17.1.46.C.04[CID:2082], 20.4.4.C.02[CID:4441], 22.1.24.C.04[CID:4839] | -| NZISM3.6-RDSAutomaticMinorVersionUpgradeEnabled | RDS DB Instance is not configured for minor patches. | Provides automatic Patching in the Database | 12.4.4.C.05[CID:3452] | -| NZISM3.6-RDSLoggingEnabled | The non-Aurora RDS DB instance or Aurora cluster does not have all CloudWatch log types exported. | | SHOULD 16.6.10.C.02[CID:2013], 20.4.4.C.02[CID:4441], 20.4.5.C.02[CID:4445], MUST 23.5.11.C.01[CID:7496] | -| NZISM3.6-RDSStorageEncrypted | The RDS DB Instance or Aurora Cluster does not have storage encrypted. | Because sensitive data can exist at rest in Amazon RDS instances, enable encryption at rest to help protect that data | 17.1.46.C.04[CID:2082], 20.4.4.C.02[CID:4441], 22.1.24.C.04[CID:4839] | -| NZISM3.6-RedshiftClusterConfiguration | The Redshift cluster does not have encryption or audit logging enabled. | To protect data at rest, ensure that encryption is enabled for your Amazon Redshift clusters. You must also ensure that required configurations are deployed on Amazon Redshift clusters. The audit logging should be enabled to provide information about connections and user activities in the database | 20.4.4.C.02[CID:4441], 20.4.5.C.02[CID:4445], 22.1.24.C.04[CID:4839] | -| NZISM3.6-S3BucketSSLRequestsOnly | The S3 Bucket or bucket policy does not require requests to use SSL. | To help protect data in transit, ensure that your Amazon Simple Storage Service (Amazon S3) buckets require requests to use Secure Socket Layer (SSL). Because sensitive data can exist, enable encryption in transit to help protect that data. | 22.1.24.C.04[CID:4839] | -| NZISM3.6-S3BucketPublicReadProhibited | The S3 Bucket does not prohibit public read access through its Block Public Access configurations and bucket ACLs. | The management of access should be consistent with the classification of the data | 22.1.24.C.03[CID:4838] | -| NZISM3.6-S3BucketPublicWriteProhibited | The S3 Bucket does not prohibit public write access through its Block Public Access configurations and bucket ACLs. | The management of access should be consistent with the classification of the data | 22.1.24.C.03[CID:4838] | -| NZISM3.6-S3DefaultEncryptionKMS | The S3 Bucket is not encrypted with a KMS Key by default. | Ensure that encryption is enabled for your Amazon Simple Storage Service (Amazon S3) buckets. Because sensitive data can exist at rest in an Amazon S3 bucket, enable encryption at rest to help protect that data | 17.1.46.C.04[CID:2082] | -| NZISM3.6-SageMakerEndpointConfigurationKMSKeyConfigured | The SageMaker resource endpoint is not encrypted with a KMS key. | Because sensitive data can exist at rest in SageMaker endpoint, enable encryption at rest to help protect that data | 22.1.24.C.04[CID:4839] | -| NZISM3.6-SageMakerNotebookInstanceKMSKeyConfigured | The SageMaker notebook is not encrypted with a KMS key. | Because sensitive data can exist at rest in SageMaker notebook, enable encryption at rest to help protect that data | 22.1.24.C.04[CID:4839] | -| NZISM3.6-SecretsManagerUsingKMSKey | The secret is not encrypted with a KMS Customer managed key. | To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for AWS Secrets Manager secrets. Because sensitive data can exist at rest in Secrets Manager secrets, enable encryption at rest to help protect that data | 22.1.24.C.04[CID:4839] | -| NZISM3.6-SNSEncryptedKMS | The SNS topic does not have KMS encryption enabled. | To help protect data at rest, ensure that your Amazon Simple Notification Service (Amazon SNS) topics require encryption using AWS Key Management Service (AWS KMS) Because sensitive data can exist at rest in published messages, enable encryption at rest to help protect that data | 22.1.24.C.04[CID:4839] | -| NZISM3.6-EC2SecurityGroupOnlyTcp443 | Only port tcp 443 shoudl be permitted in ingress security group. | Not allowing ingress (or remote) traffic to ports other than tcp port 443 helps improve security | 18.1.13.C.02[CID:3205] | +| Rule ID | Cause | Explanation | Relevent Control ID(s) | +| ------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------- | +| NZISM3.6-CloudFrontDistributionAccessLogging | The CloudFront distribution does not have access logging enabled. | Enabling access logs helps operators track all viewer requests for the content delivered through the Content Delivery Network. | Control IDs: SHOULD(16.6.10.C.02[CID:2013]), MUST(23.5.11.C.01[CID:7496]) | +| NZISM3.6-CloudTrailEncryptionEnabled | The trail does not have encryption enabled. | Because sensitive data may exist and to help protect data at rest, ensure encryption is enabled for your AWS CloudTrail trails | Control IDs: SHOULD(17.1.46.C.04[CID:2082]) | +| NZISM3.6-CloudfrontDefaultRootObjectConfigured | The Cloudfront distribution requires a default object. | Specifying a default root object lets you avoid exposing the contents of your distribution | Control IDs: SHOULD(14.5.6.C.01[CID:1661]) | +| NZISM3.6-EC2EBSVolumeEncrypted | The EBS volume has encryption disabled. | With EBS encryption, you aren not required to build, maintain, and secure your own key management infrastructure. EBS encryption uses KMS keys when creating encrypted volumes and snapshots. This helps protect data at rest. | Control IDs: SHOULD(17.1.46.C.04[CID:2082], 22.1.24.C.04[CID:4839])) | +| NZISM3.6-EC2RestrictedSSH | The Security Group allows unrestricted SSH access. | Not allowing ingress (or remote) traffic from 0.0.0.0/0 or ::/0 to port 22 on your resources helps to restrict remote access | Control IDs: SHOULD(17.5.8.C.02[CID:2726]) | +| NZISM3.6-ECSTaskDefinitionUserForHostMode | The ECS task definition is configured for host networking and has at least one container with definitions with privileged set to false or empty or user set to root or empty. | If a task definition has elevated privileges it is because you have specifically opted-in to those configurations. This rule checks for unexpected privilege escalation when a task definition has host networking enabled but the customer has not opted-in to elevated privileges | Control IDs: SHOULD(14.1.8.C.01[CID:1149]) | +| NZISM3.6-ElasticBeanstalkManagedUpdatesEnabled | The Elastic Beanstalk environment does not have enhanced health reporting enabled. | Enabling managed platform updates for an Amazon Elastic Beanstalk environment ensures that the latest available platform fixes, updates, and features for the environment are installed. Keeping up to date with patch installation is a best practice in securing systems | Control IDs: SHOULD(12.4.4.C.05[CID:3452]) | +| NZISM3.6-IAMPolicyNoStatementsWithAdminAccess | The IAM policy grants admin access, meaning the policy allows a principal to perform all actions on all resources. | AWS Identity and Access Management (IAM) can help you incorporate the principles of least privilege and separation of duties with access permissions and authorizations, by ensuring that IAM groups have at least one IAM user. Placing IAM users in groups based on their associated permissions or job function is one way to incorporate least privilege | Control IDs: SHOULD(16.3.5.C.02[CID:1946]) | +| NZISM3.6-KMSBackingKeyRotationEnabled | The KMS Symmetric key does not have automatic key rotation enabled. | Enable key rotation to ensure that keys are rotated once they have reached the end of their crypto period | Control IDs: SHOULD(17.9.25.C.01[CID:3021]) | +| NZISM3.6-OpenSearchEncryptedAtRest | The OpenSearch Service domain does not have encryption at rest enabled. | Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon OpenSearch Service (OpenSearch Service) domains | (Control IDs: SHOULD(17.1.46.C.04[CID:2082], 20.4.4.C.02[CID:4441], 22.1.24.C.04[CID:4839])) | +| NZISM3.6-RDSAutomaticMinorVersionUpgradeEnabled | RDS DB Instance is not configured for minor patches. | Provides automatic Patching in the Database | Control IDs: SHOULD(12.4.4.C.05[CID:3452]) | +| NZISM3.6-RDSStorageEncrypted | The RDS DB Instance or Aurora Cluster does not have storage encrypted. | Because sensitive data can exist at rest in Amazon RDS instances, enable encryption at rest to help protect that data | Control IDs: SHOULD(17.1.46.C.04[CID:2082], 20.4.4.C.02[CID:4441], 22.1.24.C.04[CID:4839]) | +| NZISM3.6-RedshiftClusterConfiguration | The Redshift cluster does not have encryption or audit logging enabled. | To protect data at rest, ensure that encryption is enabled for your Amazon Redshift clusters. You must also ensure that required configurations are deployed on Amazon Redshift clusters. The audit logging should be enabled to provide information about connections and user activities in the database | Control IDs: SHOULD(17.1.46.C.04[CID:2082], 20.4.4.C.02[CID:4441], 22.1.24.C.04[CID:4839]) | +| NZISM3.6-S3BucketSSLRequestsOnly | The S3 Bucket or bucket policy does not require requests to use SSL. | To help protect data in transit, ensure that your Amazon Simple Storage Service (Amazon S3) buckets require requests to use Secure Socket Layer (SSL). Because sensitive data can exist, enable encryption in transit to help protect that data. | Control IDs: SHOULD(22.1.24.C.04[CID:4839]) | +| NZISM3.6-S3BucketPublicReadProhibited | The S3 Bucket does not prohibit public read access through its Block Public Access configurations and bucket ACLs. | The management of access should be consistent with the classification of the data | Control IDs: SHOULD(22.1.24.C.03[CID:4838]) | +| NZISM3.6-S3BucketPublicWriteProhibited | The S3 Bucket does not prohibit public write access through its Block Public Access configurations and bucket ACLs. | The management of access should be consistent with the classification of the data | Control IDs: SHOULD(22.1.24.C.03[CID:4838]) | +| NZISM3.6-S3DefaultEncryptionKMS | The S3 Bucket is not encrypted with a KMS Key by default. | Ensure that encryption is enabled for your Amazon Simple Storage Service (Amazon S3) buckets. Because sensitive data can exist at rest in an Amazon S3 bucket, enable encryption at rest to help protect that data | (Control IDs: SHOULD(17.1.46.C.04[CID:2082])) | +| NZISM3.6-SageMakerEndpointConfigurationKMSKeyConfigured | The SageMaker resource endpoint is not encrypted with a KMS key. | Because sensitive data can exist at rest in SageMaker endpoint, enable encryption at rest to help protect that data | Control IDs: SHOULD(22.1.24.C.04[CID:4839]) | +| NZISM3.6-SageMakerNotebookInstanceKMSKeyConfigured | The SageMaker notebook is not encrypted with a KMS key. | Because sensitive data can exist at rest in SageMaker notebook, enable encryption at rest to help protect that data | Control IDs: SHOULD(22.1.24.C.04[CID:4839]) | +| NZISM3.6-SecretsManagerUsingKMSKey | The secret is not encrypted with a KMS Customer managed key. | To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for AWS Secrets Manager secrets. Because sensitive data can exist at rest in Secrets Manager secrets, enable encryption at rest to help protect that data | Control IDs: SHOULD(22.1.24.C.04[CID:4839]) | +| NZISM3.6-SNSEncryptedKMS | The SNS topic does not have KMS encryption enabled. | To help protect data at rest, ensure that your Amazon Simple Notification Service (Amazon SNS) topics require encryption using AWS Key Management Service (AWS KMS) Because sensitive data can exist at rest in published messages, enable encryption at rest to help protect that data | Control IDs: SHOULD(22.1.24.C.04[CID:4839]) | +| NZISM3.6-EC2SecurityGroupOnlyTcp443 | Only port tcp 443 shoudl be permitted in ingress security group. | Not allowing ingress (or remote) traffic to ports other than tcp port 443 helps improve security | Control IDs: SHOULD(18.1.13.C.02[CID:3205]) | ### Excluded Rules