diff --git a/audit_manager_control_tower/audit_manager_control_tower.sp b/audit_manager_control_tower/audit_manager_control_tower.sp index baf61b53..5aeed9ad 100644 --- a/audit_manager_control_tower/audit_manager_control_tower.sp +++ b/audit_manager_control_tower/audit_manager_control_tower.sp @@ -1,8 +1,8 @@ locals { - audit_manager_control_tower_common_tags = { + audit_manager_control_tower_common_tags = merge(local.aws_compliance_common_tags, { audit_manager_control_tower = "true" - plugin = "aws" - } + type = "Benchmark" + }) } benchmark "audit_manager_control_tower" { diff --git a/audit_manager_control_tower/disallow_instances.sp b/audit_manager_control_tower/disallow_instances.sp index a6d72864..6922450f 100644 --- a/audit_manager_control_tower/disallow_instances.sp +++ b/audit_manager_control_tower/disallow_instances.sp @@ -22,7 +22,8 @@ benchmark "audit_manager_control_tower_disallow_instances_5_0_1" { ] tags = merge(local.audit_manager_control_tower_disallow_instances_common_tags, { - audit_manager_control_tower_item_id = "5.0.1" + audit_manager_control_tower_item_id = "5.0.1" + service = "AWS/RDS" }) } @@ -34,6 +35,7 @@ benchmark "audit_manager_control_tower_disallow_instances_5_1_1" { ] tags = merge(local.audit_manager_control_tower_disallow_instances_common_tags, { - audit_manager_control_tower_item_id = "5.1.1" + audit_manager_control_tower_item_id = "5.1.1" + service = "AWS/S3" }) -} \ No newline at end of file +} diff --git a/audit_manager_control_tower/disallow_internet_connection.sp b/audit_manager_control_tower/disallow_internet_connection.sp index 009c39db..90a83b45 100644 --- a/audit_manager_control_tower/disallow_internet_connection.sp +++ b/audit_manager_control_tower/disallow_internet_connection.sp @@ -11,7 +11,10 @@ benchmark "audit_manager_control_tower_disallow_internet_connection" { benchmark.audit_manager_control_tower_disallow_internet_connection_2_0_1, benchmark.audit_manager_control_tower_disallow_internet_connection_2_0_2 ] - tags = local.audit_manager_control_tower_disallow_internet_connection_common_tags + + tags = merge(local.audit_manager_control_tower_disallow_internet_connection_common_tags, { + service = "AWS/VPC" + }) } benchmark "audit_manager_control_tower_disallow_internet_connection_2_0_1" { @@ -23,6 +26,7 @@ benchmark "audit_manager_control_tower_disallow_internet_connection_2_0_1" { tags = merge(local.audit_manager_control_tower_disallow_internet_connection_common_tags, { audit_manager_control_tower_item_id = "2.0.1" + service = "AWS/VPC" }) } @@ -35,5 +39,6 @@ benchmark "audit_manager_control_tower_disallow_internet_connection_2_0_2" { tags = merge(local.audit_manager_control_tower_disallow_internet_connection_common_tags, { audit_manager_control_tower_item_id = "2.0.2" + service = "AWS/VPC" }) -} \ No newline at end of file +} diff --git a/audit_manager_control_tower/disallow_public_access.sp b/audit_manager_control_tower/disallow_public_access.sp index c59df59a..a05975bb 100644 --- a/audit_manager_control_tower/disallow_public_access.sp +++ b/audit_manager_control_tower/disallow_public_access.sp @@ -25,6 +25,7 @@ benchmark "audit_manager_control_tower_disallow_public_access_4_0_1" { tags = merge(local.audit_manager_control_tower_disallow_public_access_common_tags, { audit_manager_control_tower_item_id = "4.0.1" + service = "AWS/RDS" }) } @@ -37,6 +38,7 @@ benchmark "audit_manager_control_tower_disallow_public_access_4_0_2" { tags = merge(local.audit_manager_control_tower_disallow_public_access_common_tags, { audit_manager_control_tower_item_id = "4.0.2" + service = "AWS/RDS" }) } @@ -49,6 +51,7 @@ benchmark "audit_manager_control_tower_disallow_public_access_4_1_1" { tags = merge(local.audit_manager_control_tower_disallow_public_access_common_tags, { audit_manager_control_tower_item_id = "4.1.1" + service = "AWS/S3" }) } @@ -61,5 +64,6 @@ benchmark "audit_manager_control_tower_disallow_public_access_4_1_2" { tags = merge(local.audit_manager_control_tower_disallow_public_access_common_tags, { audit_manager_control_tower_item_id = "4.1.2" + service = "AWS/S3" }) -} \ No newline at end of file +} diff --git a/audit_manager_control_tower/ebs_checks.sp b/audit_manager_control_tower/ebs_checks.sp index 407f3739..8ce5b647 100644 --- a/audit_manager_control_tower/ebs_checks.sp +++ b/audit_manager_control_tower/ebs_checks.sp @@ -12,7 +12,10 @@ benchmark "audit_manager_control_tower_ebs_checks" { benchmark.audit_manager_control_tower_ebs_checks_1_0_2, benchmark.audit_manager_control_tower_ebs_checks_1_0_3 ] - tags = local.audit_manager_control_tower_ebs_checks_common_tags + + tags = merge(local.audit_manager_control_tower_ebs_checks_common_tags, { + service = "AWS/EBS" + }) } benchmark "audit_manager_control_tower_ebs_checks_1_0_1" { @@ -24,6 +27,7 @@ benchmark "audit_manager_control_tower_ebs_checks_1_0_1" { tags = merge(local.audit_manager_control_tower_ebs_checks_common_tags, { audit_manager_control_tower_item_id = "1.0.1" + service = "AWS/EBS" }) } @@ -36,6 +40,7 @@ benchmark "audit_manager_control_tower_ebs_checks_1_0_2" { tags = merge(local.audit_manager_control_tower_ebs_checks_common_tags, { audit_manager_control_tower_item_id = "1.0.2" + service = "AWS/EBS" }) } @@ -48,5 +53,6 @@ benchmark "audit_manager_control_tower_ebs_checks_1_0_3" { tags = merge(local.audit_manager_control_tower_ebs_checks_common_tags, { audit_manager_control_tower_item_id = "1.0.3" + service = "AWS/EBS" }) -} \ No newline at end of file +} diff --git a/audit_manager_control_tower/multi_factor_authentication.sp b/audit_manager_control_tower/multi_factor_authentication.sp index 458e9be5..5d73b74b 100644 --- a/audit_manager_control_tower/multi_factor_authentication.sp +++ b/audit_manager_control_tower/multi_factor_authentication.sp @@ -12,7 +12,10 @@ benchmark "audit_manager_control_tower_multi_factor_authentication" { benchmark.audit_manager_control_tower_multi_factor_authentication_3_0_2, benchmark.audit_manager_control_tower_multi_factor_authentication_3_0_3 ] - tags = local.audit_manager_control_tower_multi_factor_authentication_common_tags + + tags = merge(local.audit_manager_control_tower_multi_factor_authentication_common_tags, { + service = "AWS/IAM" + }) } benchmark "audit_manager_control_tower_multi_factor_authentication_3_0_1" { @@ -24,8 +27,10 @@ benchmark "audit_manager_control_tower_multi_factor_authentication_3_0_1" { tags = merge(local.audit_manager_control_tower_multi_factor_authentication_common_tags, { audit_manager_control_tower_item_id = "3.0.1" + service = "AWS/IAM" }) } + benchmark "audit_manager_control_tower_multi_factor_authentication_3_0_2" { title = "3.0.2 - Disallow console access to IAM users without MFA" description = "Disallow console access to IAM users without MFA - Checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password." @@ -35,6 +40,7 @@ benchmark "audit_manager_control_tower_multi_factor_authentication_3_0_2" { tags = merge(local.audit_manager_control_tower_multi_factor_authentication_common_tags, { audit_manager_control_tower_item_id = "3.0.2" + service = "AWS/IAM" }) } @@ -47,5 +53,6 @@ benchmark "audit_manager_control_tower_multi_factor_authentication_3_0_3" { tags = merge(local.audit_manager_control_tower_multi_factor_authentication_common_tags, { audit_manager_control_tower_item_id = "3.0.3" + service = "AWS/IAM" }) -} \ No newline at end of file +} diff --git a/cis_v130/cis.sp b/cis_v130/cis.sp index 7d2421e7..e9cfbd71 100644 --- a/cis_v130/cis.sp +++ b/cis_v130/cis.sp @@ -1,9 +1,8 @@ locals { - cis_v130_common_tags = { + cis_v130_common_tags = merge(local.aws_compliance_common_tags, { cis = "true" cis_version = "v1.3.0" - plugin = "aws" - } + }) } benchmark "cis_v130" { @@ -17,5 +16,8 @@ benchmark "cis_v130" { benchmark.cis_v130_4, benchmark.cis_v130_5 ] - tags = local.cis_v130_common_tags + + tags = merge(local.cis_v130_common_tags, { + type = "Benchmark" + }) } diff --git a/cis_v130/section_1.sp b/cis_v130/section_1.sp index d884147b..b6cd0b1c 100644 --- a/cis_v130/section_1.sp +++ b/cis_v130/section_1.sp @@ -31,7 +31,10 @@ benchmark "cis_v130_1" { control.cis_v130_1_21, control.cis_v130_1_22 ] - tags = local.cis_v130_1_common_tags + + tags = merge(local.cis_v130_1_common_tags, { + type = "Benchmark" + }) } control "cis_v130_1_1" { @@ -44,7 +47,7 @@ control "cis_v130_1_1" { cis_item_id = "1.1" cis_level = "1" cis_type = "manual" - service = "iam" + service = "AWS/IAM" }) } @@ -58,7 +61,7 @@ control "cis_v130_1_2" { cis_item_id = "1.2" cis_level = "1" cis_type = "manual" - service = "iam" + service = "AWS/IAM" }) } @@ -72,7 +75,7 @@ control "cis_v130_1_3" { cis_item_id = "1.3" cis_level = "1" cis_type = "manual" - service = "iam" + service = "AWS/IAM" }) } @@ -86,7 +89,7 @@ control "cis_v130_1_4" { cis_item_id = "1.4" cis_level = "1" cis_type = "automated" - service = "iam" + service = "AWS/IAM" }) } @@ -100,7 +103,7 @@ control "cis_v130_1_5" { cis_item_id = "1.5" cis_level = "1" cis_type = "automated" - service = "iam" + service = "AWS/IAM" }) } @@ -114,7 +117,7 @@ control "cis_v130_1_6" { cis_item_id = "1.6" cis_level = "2" cis_type = "automated" - service = "iam" + service = "AWS/IAM" }) } @@ -128,7 +131,7 @@ control "cis_v130_1_7" { cis_item_id = "1.7" cis_level = "1" cis_type = "automated" - service = "iam" + service = "AWS/IAM" }) } @@ -142,7 +145,7 @@ control "cis_v130_1_8" { cis_item_id = "1.8" cis_level = "1" cis_type = "automated" - service = "iam" + service = "AWS/IAM" }) } @@ -156,7 +159,7 @@ control "cis_v130_1_9" { cis_item_id = "1.9" cis_level = "1" cis_type = "automated" - service = "iam" + service = "AWS/IAM" }) } @@ -170,7 +173,7 @@ control "cis_v130_1_10" { cis_item_id = "1.10" cis_level = "1" cis_type = "automated" - service = "iam" + service = "AWS/IAM" }) } @@ -184,7 +187,7 @@ control "cis_v130_1_11" { cis_item_id = "1.11" cis_level = "1" cis_type = "manual" - service = "iam" + service = "AWS/IAM" }) } @@ -198,7 +201,7 @@ control "cis_v130_1_12" { cis_item_id = "1.12" cis_level = "1" cis_type = "automated" - service = "iam" + service = "AWS/IAM" }) } @@ -212,7 +215,7 @@ control "cis_v130_1_13" { cis_item_id = "1.13" cis_level = "1" cis_type = "automated" - service = "iam" + service = "AWS/IAM" }) } @@ -226,7 +229,7 @@ control "cis_v130_1_14" { cis_item_id = "1.14" cis_level = "1" cis_type = "automated" - service = "iam" + service = "AWS/IAM" }) } @@ -240,7 +243,7 @@ control "cis_v130_1_15" { cis_item_id = "1.15" cis_level = "1" cis_type = "automated" - service = "iam" + service = "AWS/IAM" }) } @@ -254,7 +257,7 @@ control "cis_v130_1_16" { cis_item_id = "1.16" cis_level = "1" cis_type = "automated" - service = "iam" + service = "AWS/IAM" }) } @@ -268,7 +271,7 @@ control "cis_v130_1_17" { cis_item_id = "1.17" cis_level = "1" cis_type = "automated" - service = "iam" + service = "AWS/IAM" }) } @@ -282,7 +285,7 @@ control "cis_v130_1_18" { cis_item_id = "1.18" cis_level = "2" cis_type = "manual" - service = "iam" + service = "AWS/IAM" }) } @@ -296,7 +299,7 @@ control "cis_v130_1_19" { cis_item_id = "1.19" cis_level = "1" cis_type = "automated" - service = "iam" + service = "AWS/IAM" }) } @@ -310,7 +313,7 @@ control "cis_v130_1_20" { cis_item_id = "1.20" cis_level = "1" cis_type = "automated" - service = "s3" + service = "AWS/S3" }) } @@ -324,7 +327,7 @@ control "cis_v130_1_21" { cis_item_id = "1.21" cis_level = "1" cis_type = "automated" - service = "iam" + service = "AWS/IAM" }) } @@ -338,6 +341,6 @@ control "cis_v130_1_22" { cis_item_id = "1.22" cis_level = "2" cis_type = "manual" - service = "iam" + service = "AWS/IAM" }) } diff --git a/cis_v130/section_2.sp b/cis_v130/section_2.sp index f4e6fcde..48a65697 100644 --- a/cis_v130/section_2.sp +++ b/cis_v130/section_2.sp @@ -20,7 +20,10 @@ benchmark "cis_v130_2" { benchmark.cis_v130_2_1, benchmark.cis_v130_2_2 ] - tags = local.cis_v130_2_common_tags + + tags = merge(local.cis_v130_2_common_tags, { + type = "Benchmark" + }) } benchmark "cis_v130_2_1" { @@ -30,7 +33,11 @@ benchmark "cis_v130_2_1" { control.cis_v130_2_1_1, control.cis_v130_2_1_2 ] - tags = local.cis_v130_2_1_common_tags + + tags = merge(local.cis_v130_2_1_common_tags, { + service = "AWS/S3" + type = "Benchmark" + }) } benchmark "cis_v130_2_2" { @@ -39,7 +46,11 @@ benchmark "cis_v130_2_2" { children = [ control.cis_v130_2_2_1 ] - tags = local.cis_v130_2_2_common_tags + + tags = merge(local.cis_v130_2_2_common_tags, { + service = "AWS/EBS" + type = "Benchmark" + }) } control "cis_v130_2_1_1" { @@ -52,7 +63,7 @@ control "cis_v130_2_1_1" { cis_item_id = "2.1.1" cis_level = "1,2" cis_type = "manual" - service = "s3" + service = "AWS/S3" }) } @@ -66,7 +77,7 @@ control "cis_v130_2_1_2" { cis_item_id = "2.1.2" cis_level = "1,2" cis_type = "manual" - service = "s3" + service = "AWS/S3" }) } @@ -80,6 +91,6 @@ control "cis_v130_2_2_1" { cis_item_id = "2.2.1" cis_level = "1,2" cis_type = "manual" - service = "ebs" + service = "AWS/EBS" }) } diff --git a/cis_v130/section_3.sp b/cis_v130/section_3.sp index ce6f77db..b7ae08dd 100644 --- a/cis_v130/section_3.sp +++ b/cis_v130/section_3.sp @@ -20,7 +20,10 @@ benchmark "cis_v130_3" { control.cis_v130_3_10, control.cis_v130_3_11 ] - tags = local.cis_v130_3_common_tags + + tags = merge(local.cis_v130_3_common_tags, { + type = "Benchmark" + }) } control "cis_v130_3_1" { @@ -33,7 +36,7 @@ control "cis_v130_3_1" { cis_item_id = "3.1" cis_level = "1" cis_type = "automated" - service = "cloudtrail" + service = "AWS/CloudTrail" }) } @@ -47,7 +50,7 @@ control "cis_v130_3_2" { cis_item_id = "3.2" cis_level = "2" cis_type = "automated" - service = "cloudtrail" + service = "AWS/CloudTrail" }) } @@ -61,7 +64,7 @@ control "cis_v130_3_3" { cis_item_id = "3.3" cis_level = "1" cis_type = "automated" - service = "cloudtrail" + service = "AWS/CloudTrail" }) } @@ -75,7 +78,7 @@ control "cis_v130_3_4" { cis_item_id = "3.4" cis_level = "1" cis_type = "automated" - service = "cloudtrail" + service = "AWS/CloudTrail" }) } @@ -89,7 +92,7 @@ control "cis_v130_3_5" { cis_item_id = "3.5" cis_level = "1" cis_type = "automated" - service = "config" + service = "AWS/Config" }) } @@ -103,7 +106,7 @@ control "cis_v130_3_6" { cis_item_id = "3.6" cis_level = "1" cis_type = "automated" - service = "cloudtrail" + service = "AWS/CloudTrail" }) } @@ -117,7 +120,7 @@ control "cis_v130_3_7" { cis_item_id = "3.7" cis_level = "2" cis_type = "automated" - service = "cloudtrail" + service = "AWS/CloudTrail" }) } @@ -131,7 +134,7 @@ control "cis_v130_3_8" { cis_item_id = "3.8" cis_level = "2" cis_type = "automated" - service = "kms" + service = "AWS/KMS" }) } @@ -145,7 +148,7 @@ control "cis_v130_3_9" { cis_item_id = "3.9" cis_level = "2" cis_type = "automated" - service = "vpc" + service = "AWS/VPC" }) } @@ -159,7 +162,7 @@ control "cis_v130_3_10" { cis_item_id = "3.10" cis_level = "2" cis_type = "automated" - service = "s3" + service = "AWS/S3" }) } @@ -173,6 +176,6 @@ control "cis_v130_3_11" { cis_item_id = "3.11" cis_level = "2" cis_type = "automated" - service = "s3" + service = "AWS/S3" }) } diff --git a/cis_v130/section_4.sp b/cis_v130/section_4.sp index 8b9f9ac3..9d08702e 100644 --- a/cis_v130/section_4.sp +++ b/cis_v130/section_4.sp @@ -7,7 +7,6 @@ locals { benchmark "cis_v130_4" { title = "4 Monitoring" documentation = file("./cis_v130/docs/cis_v130_4.md") - tags = local.cis_v130_4_common_tags children = [ control.cis_v130_4_1, control.cis_v130_4_2, @@ -25,6 +24,11 @@ benchmark "cis_v130_4" { control.cis_v130_4_14, control.cis_v130_4_15 ] + + tags = merge(local.cis_v130_4_common_tags, { + type = "Benchmark" + service = "AWS/CloudWatch" + }) } control "cis_v130_4_1" { @@ -37,7 +41,7 @@ control "cis_v130_4_1" { cis_item_id = "4.1" cis_level = "1" cis_type = "automated" - service = "cloudwatch" + service = "AWS/CloudWatch" }) } @@ -51,7 +55,7 @@ control "cis_v130_4_2" { cis_item_id = "4.2" cis_level = "1" cis_type = "automated" - service = "cloudwatch" + service = "AWS/CloudWatch" }) } @@ -65,7 +69,7 @@ control "cis_v130_4_3" { cis_item_id = "4.3" cis_level = "1" cis_type = "automated" - service = "cloudwatch" + service = "AWS/CloudWatch" }) } @@ -79,7 +83,7 @@ control "cis_v130_4_4" { cis_item_id = "4.4" cis_level = "1" cis_type = "automated" - service = "cloudwatch" + service = "AWS/CloudWatch" }) } @@ -93,7 +97,7 @@ control "cis_v130_4_5" { cis_item_id = "4.5" cis_level = "1" cis_type = "automated" - service = "cloudwatch" + service = "AWS/CloudWatch" }) } @@ -107,7 +111,7 @@ control "cis_v130_4_6" { cis_item_id = "4.6" cis_level = "2" cis_type = "automated" - service = "cloudwatch" + service = "AWS/CloudWatch" }) } @@ -121,7 +125,7 @@ control "cis_v130_4_7" { cis_item_id = "4.7" cis_level = "2" cis_type = "automated" - service = "cloudwatch" + service = "AWS/CloudWatch" }) } @@ -135,7 +139,7 @@ control "cis_v130_4_8" { cis_item_id = "4.8" cis_level = "1" cis_type = "automated" - service = "cloudwatch" + service = "AWS/CloudWatch" }) } @@ -149,7 +153,7 @@ control "cis_v130_4_9" { cis_item_id = "4.9" cis_level = "2" cis_type = "automated" - service = "cloudwatch" + service = "AWS/CloudWatch" }) } @@ -163,7 +167,7 @@ control "cis_v130_4_10" { cis_item_id = "4.10" cis_level = "2" cis_type = "automated" - service = "cloudwatch" + service = "AWS/CloudWatch" }) } @@ -177,7 +181,7 @@ control "cis_v130_4_11" { cis_item_id = "4.11" cis_level = "2" cis_type = "automated" - service = "cloudwatch" + service = "AWS/CloudWatch" }) } @@ -191,7 +195,7 @@ control "cis_v130_4_12" { cis_item_id = "4.12" cis_level = "1" cis_type = "automated" - service = "cloudwatch" + service = "AWS/CloudWatch" }) } @@ -205,7 +209,7 @@ control "cis_v130_4_13" { cis_item_id = "4.13" cis_level = "1" cis_type = "automated" - service = "cloudwatch" + service = "AWS/CloudWatch" }) } @@ -219,7 +223,7 @@ control "cis_v130_4_14" { cis_item_id = "4.14" cis_level = "1" cis_type = "automated" - service = "cloudwatch" + service = "AWS/CloudWatch" }) } @@ -233,6 +237,6 @@ control "cis_v130_4_15" { cis_item_id = "4.15" cis_level = "1" cis_type = "automated" - service = "cloudwatch" + service = "AWS/CloudWatch" }) } diff --git a/cis_v130/section_5.sp b/cis_v130/section_5.sp index 21c2e055..f07118ee 100644 --- a/cis_v130/section_5.sp +++ b/cis_v130/section_5.sp @@ -7,13 +7,17 @@ locals { benchmark "cis_v130_5" { title = "5 Networking" documentation = file("./cis_v130/docs/cis_v130_5.md") - tags = local.cis_v130_5_common_tags children = [ control.cis_v130_5_1, control.cis_v130_5_2, control.cis_v130_5_3, control.cis_v130_5_4 ] + + tags = merge(local.cis_v130_5_common_tags, { + service = "AWS/VPC" + type = "Benchmark" + }) } control "cis_v130_5_1" { @@ -26,7 +30,7 @@ control "cis_v130_5_1" { cis_item_id = "5.1" cis_level = "1" cis_type = "automated" - service = "vpc" + service = "AWS/VPC" }) } @@ -40,7 +44,7 @@ control "cis_v130_5_2" { cis_item_id = "5.2" cis_level = "1" cis_type = "automated" - service = "vpc" + service = "AWS/VPC" }) } @@ -54,7 +58,7 @@ control "cis_v130_5_3" { cis_item_id = "5.3" cis_level = "1" cis_type = "automated" - service = "vpc" + service = "AWS/VPC" }) } @@ -68,6 +72,6 @@ control "cis_v130_5_4" { cis_item_id = "5.4" cis_level = "1" cis_type = "manual" - service = "vpc" + service = "AWS/VPC" }) } diff --git a/cis_v140/cis.sp b/cis_v140/cis.sp index ead5bb07..893f882a 100644 --- a/cis_v140/cis.sp +++ b/cis_v140/cis.sp @@ -1,11 +1,11 @@ locals { - cis_v140_common_tags = { + cis_v140_common_tags = merge(local.aws_compliance_common_tags, { cis = "true" cis_version = "v1.4.0" - plugin = "aws" - } + }) } + benchmark "cis_v140" { title = "CIS v1.4.0" description = "The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings." @@ -17,5 +17,8 @@ benchmark "cis_v140" { benchmark.cis_v140_4, benchmark.cis_v140_5 ] - tags = local.cis_v140_common_tags + + tags = merge(local.cis_v140_common_tags, { + type = "Benchmark" + }) } diff --git a/cis_v140/section_1.sp b/cis_v140/section_1.sp index 7419cd5d..c476e40f 100644 --- a/cis_v140/section_1.sp +++ b/cis_v140/section_1.sp @@ -30,7 +30,10 @@ benchmark "cis_v140_1" { control.cis_v140_1_20, control.cis_v140_1_21 ] - tags = local.cis_v140_1_common_tags + + tags = merge(local.cis_v140_1_common_tags, { + type = "Benchmark" + }) } control "cis_v140_1_1" { @@ -43,7 +46,7 @@ control "cis_v140_1_1" { cis_item_id = "1.1" cis_level = "1" cis_type = "manual" - service = "iam" + service = "AWS/IAM" }) } @@ -57,7 +60,7 @@ control "cis_v140_1_2" { cis_item_id = "1.2" cis_level = "1" cis_type = "manual" - service = "iam" + service = "AWS/IAM" }) } @@ -71,7 +74,7 @@ control "cis_v140_1_3" { cis_item_id = "1.3" cis_level = "1" cis_type = "manual" - service = "iam" + service = "AWS/IAM" }) } @@ -85,7 +88,7 @@ control "cis_v140_1_4" { cis_item_id = "1.4" cis_level = "1" cis_type = "automated" - service = "iam" + service = "AWS/IAM" }) } @@ -99,7 +102,7 @@ control "cis_v140_1_5" { cis_item_id = "1.5" cis_level = "1" cis_type = "automated" - service = "iam" + service = "AWS/IAM" }) } @@ -113,7 +116,7 @@ control "cis_v140_1_6" { cis_item_id = "1.6" cis_level = "2" cis_type = "automated" - service = "iam" + service = "AWS/IAM" }) } @@ -127,7 +130,7 @@ control "cis_v140_1_7" { cis_item_id = "1.7" cis_level = "1" cis_type = "automated" - service = "iam" + service = "AWS/IAM" }) } @@ -141,7 +144,7 @@ control "cis_v140_1_8" { cis_item_id = "1.8" cis_level = "1" cis_type = "automated" - service = "iam" + service = "AWS/IAM" }) } @@ -155,7 +158,7 @@ control "cis_v140_1_9" { cis_item_id = "1.9" cis_level = "1" cis_type = "automated" - service = "iam" + service = "AWS/IAM" }) } @@ -169,7 +172,7 @@ control "cis_v140_1_10" { cis_item_id = "1.10" cis_level = "1" cis_type = "automated" - service = "iam" + service = "AWS/IAM" }) } @@ -183,7 +186,7 @@ control "cis_v140_1_11" { cis_item_id = "1.11" cis_level = "1" cis_type = "manual" - service = "iam" + service = "AWS/IAM" }) } @@ -197,7 +200,7 @@ control "cis_v140_1_12" { cis_item_id = "1.12" cis_level = "1" cis_type = "automated" - service = "iam" + service = "AWS/IAM" }) } @@ -211,7 +214,7 @@ control "cis_v140_1_13" { cis_item_id = "1.13" cis_level = "1" cis_type = "automated" - service = "iam" + service = "AWS/IAM" }) } @@ -225,7 +228,7 @@ control "cis_v140_1_14" { cis_item_id = "1.14" cis_level = "1" cis_type = "automated" - service = "iam" + service = "AWS/IAM" }) } @@ -239,7 +242,7 @@ control "cis_v140_1_15" { cis_item_id = "1.15" cis_level = "1" cis_type = "automated" - service = "iam" + service = "AWS/IAM" }) } @@ -253,7 +256,7 @@ control "cis_v140_1_16" { cis_item_id = "1.16" cis_level = "1" cis_type = "automated" - service = "iam" + service = "AWS/IAM" }) } @@ -267,7 +270,7 @@ control "cis_v140_1_17" { cis_item_id = "1.17" cis_level = "1" cis_type = "automated" - service = "iam" + service = "AWS/IAM" }) } @@ -281,7 +284,7 @@ control "cis_v140_1_18" { cis_item_id = "1.18" cis_level = "2" cis_type = "manual" - service = "iam" + service = "AWS/IAM" }) } @@ -295,7 +298,7 @@ control "cis_v140_1_19" { cis_item_id = "1.19" cis_level = "1" cis_type = "automated" - service = "iam" + service = "AWS/IAM" }) } @@ -309,7 +312,7 @@ control "cis_v140_1_20" { cis_item_id = "1.20" cis_level = "1" cis_type = "automated" - service = "iam" + service = "AWS/IAM" }) } @@ -323,6 +326,6 @@ control "cis_v140_1_21" { cis_item_id = "1.21" cis_level = "2" cis_type = "manual" - service = "iam" + service = "AWS/IAM" }) } diff --git a/cis_v140/section_2.sp b/cis_v140/section_2.sp index 7d0dd614..b6610e9b 100644 --- a/cis_v140/section_2.sp +++ b/cis_v140/section_2.sp @@ -24,7 +24,10 @@ benchmark "cis_v140_2" { benchmark.cis_v140_2_2, benchmark.cis_v140_2_3 ] - tags = local.cis_v140_2_common_tags + + tags = merge(local.cis_v140_2_common_tags, { + type = "Benchmark" + }) } benchmark "cis_v140_2_1" { @@ -37,7 +40,11 @@ benchmark "cis_v140_2_1" { control.cis_v140_2_1_4, control.cis_v140_2_1_5 ] - tags = local.cis_v140_2_1_common_tags + + tags = merge(local.cis_v140_2_1_common_tags, { + service = "AWS/S3" + type = "Benchmark" + }) } control "cis_v140_2_1_1" { @@ -50,7 +57,7 @@ control "cis_v140_2_1_1" { cis_item_id = "2.1.1" cis_level = "2" cis_type = "manual" - service = "s3" + service = "AWS/S3" }) } @@ -64,7 +71,7 @@ control "cis_v140_2_1_2" { cis_item_id = "2.1.2" cis_level = "2" cis_type = "manual" - service = "s3" + service = "AWS/S3" }) } @@ -78,7 +85,7 @@ control "cis_v140_2_1_3" { cis_item_id = "2.1.3" cis_level = "1" cis_type = "automated" - service = "s3" + service = "AWS/S3" }) } @@ -92,7 +99,7 @@ control "cis_v140_2_1_4" { cis_item_id = "2.1.4" cis_level = "2" cis_type = "manual" - service = "s3" + service = "AWS/S3" }) } @@ -106,7 +113,7 @@ control "cis_v140_2_1_5" { cis_item_id = "2.1.5" cis_level = "1" cis_type = "automated" - service = "s3" + service = "AWS/S3" }) } @@ -116,7 +123,11 @@ benchmark "cis_v140_2_2" { children = [ control.cis_v140_2_2_1 ] - tags = local.cis_v140_2_2_common_tags + + tags = merge(local.cis_v140_2_1_common_tags, { + service = "AWS/EBS" + type = "Benchmark" + }) } control "cis_v140_2_2_1" { @@ -129,7 +140,7 @@ control "cis_v140_2_2_1" { cis_item_id = "2.2.1" cis_level = "1" cis_type = "manual" - service = "ebs" + service = "AWS/EBS" }) } @@ -139,7 +150,11 @@ benchmark "cis_v140_2_3" { children = [ control.cis_v140_2_3_1 ] - tags = local.cis_v140_2_3_common_tags + + tags = merge(local.cis_v140_2_1_common_tags, { + service = "AWS/RDS" + type = "Benchmark" + }) } control "cis_v140_2_3_1" { @@ -152,6 +167,6 @@ control "cis_v140_2_3_1" { cis_item_id = "2.3.1" cis_level = "1" cis_type = "automated" - service = "rds" + service = "AWS/RDS" }) -} +} \ No newline at end of file diff --git a/cis_v140/section_3.sp b/cis_v140/section_3.sp index 6d2ba56f..87711972 100644 --- a/cis_v140/section_3.sp +++ b/cis_v140/section_3.sp @@ -20,7 +20,10 @@ benchmark "cis_v140_3" { control.cis_v140_3_10, control.cis_v140_3_11 ] - tags = local.cis_v140_3_common_tags + + tags = merge(local.cis_v140_3_common_tags, { + type = "Benchmark" + }) } control "cis_v140_3_1" { @@ -33,7 +36,7 @@ control "cis_v140_3_1" { cis_item_id = "3.1" cis_level = "1" cis_type = "automated" - service = "cloudtrail" + service = "AWS/CloudTrail" }) } @@ -47,7 +50,7 @@ control "cis_v140_3_2" { cis_item_id = "3.2" cis_level = "2" cis_type = "automated" - service = "cloudtrail" + service = "AWS/CloudTrail" }) } @@ -61,7 +64,7 @@ control "cis_v140_3_3" { cis_item_id = "3.3" cis_level = "1" cis_type = "automated" - service = "cloudtrail" + service = "AWS/CloudTrail" }) } @@ -75,7 +78,7 @@ control "cis_v140_3_4" { cis_item_id = "3.4" cis_level = "1" cis_type = "automated" - service = "cloudtrail" + service = "AWS/CloudTrail" }) } @@ -89,7 +92,7 @@ control "cis_v140_3_5" { cis_item_id = "3.5" cis_level = "2" cis_type = "automated" - service = "config" + service = "AWS/Config" }) } @@ -103,7 +106,7 @@ control "cis_v140_3_6" { cis_item_id = "3.6" cis_level = "1" cis_type = "automated" - service = "cloudtrail" + service = "AWS/CloudTrail" }) } @@ -117,7 +120,7 @@ control "cis_v140_3_7" { cis_item_id = "3.7" cis_level = "2" cis_type = "automated" - service = "cloudtrail" + service = "AWS/CloudTrail" }) } @@ -131,7 +134,7 @@ control "cis_v140_3_8" { cis_item_id = "3.8" cis_level = "2" cis_type = "automated" - service = "kms" + service = "AWS/KMS" }) } @@ -145,7 +148,7 @@ control "cis_v140_3_9" { cis_item_id = "3.9" cis_level = "2" cis_type = "automated" - service = "vpc" + service = "AWS/VPC" }) } @@ -159,7 +162,7 @@ control "cis_v140_3_10" { cis_item_id = "3.10" cis_level = "2" cis_type = "automated" - service = "s3" + service = "AWS/S3" }) } @@ -173,6 +176,6 @@ control "cis_v140_3_11" { cis_item_id = "3.11" cis_level = "2" cis_type = "automated" - service = "s3" + service = "AWS/S3" }) } diff --git a/cis_v140/section_4.sp b/cis_v140/section_4.sp index 59ddeebe..8a0ddc97 100644 --- a/cis_v140/section_4.sp +++ b/cis_v140/section_4.sp @@ -7,7 +7,6 @@ locals { benchmark "cis_v140_4" { title = "4 Monitoring" documentation = file("./cis_v140/docs/cis_v140_4.md") - tags = local.cis_v140_4_common_tags children = [ control.cis_v140_4_1, control.cis_v140_4_2, @@ -25,6 +24,11 @@ benchmark "cis_v140_4" { control.cis_v140_4_14, control.cis_v140_4_15 ] + + tags = merge(local.cis_v140_4_common_tags, { + type = "Benchmark" + service = "AWS/CloudWatch" + }) } control "cis_v140_4_1" { @@ -37,7 +41,7 @@ control "cis_v140_4_1" { cis_item_id = "4.1" cis_level = "1" cis_type = "automated" - service = "cloudwatch" + service = "AWS/CloudWatch" }) } @@ -51,7 +55,7 @@ control "cis_v140_4_2" { cis_item_id = "4.2" cis_level = "1" cis_type = "automated" - service = "cloudwatch" + service = "AWS/CloudWatch" }) } @@ -65,7 +69,7 @@ control "cis_v140_4_3" { cis_item_id = "4.3" cis_level = "1" cis_type = "automated" - service = "cloudwatch" + service = "AWS/CloudWatch" }) } @@ -79,7 +83,7 @@ control "cis_v140_4_4" { cis_item_id = "4.4" cis_level = "1" cis_type = "automated" - service = "cloudwatch" + service = "AWS/CloudWatch" }) } @@ -93,7 +97,7 @@ control "cis_v140_4_5" { cis_item_id = "4.5" cis_level = "1" cis_type = "automated" - service = "cloudwatch" + service = "AWS/CloudWatch" }) } @@ -107,7 +111,7 @@ control "cis_v140_4_6" { cis_item_id = "4.6" cis_level = "2" cis_type = "automated" - service = "cloudwatch" + service = "AWS/CloudWatch" }) } @@ -121,7 +125,7 @@ control "cis_v140_4_7" { cis_item_id = "4.7" cis_level = "2" cis_type = "automated" - service = "cloudwatch" + service = "AWS/CloudWatch" }) } @@ -135,7 +139,7 @@ control "cis_v140_4_8" { cis_item_id = "4.8" cis_level = "1" cis_type = "automated" - service = "cloudwatch" + service = "AWS/CloudWatch" }) } @@ -149,7 +153,7 @@ control "cis_v140_4_9" { cis_item_id = "4.9" cis_level = "2" cis_type = "automated" - service = "cloudwatch" + service = "AWS/CloudWatch" }) } @@ -163,7 +167,7 @@ control "cis_v140_4_10" { cis_item_id = "4.10" cis_level = "2" cis_type = "automated" - service = "cloudwatch" + service = "AWS/CloudWatch" }) } @@ -177,7 +181,7 @@ control "cis_v140_4_11" { cis_item_id = "4.11" cis_level = "2" cis_type = "automated" - service = "cloudwatch" + service = "AWS/CloudWatch" }) } @@ -191,7 +195,7 @@ control "cis_v140_4_12" { cis_item_id = "4.12" cis_level = "1" cis_type = "automated" - service = "cloudwatch" + service = "AWS/CloudWatch" }) } @@ -205,7 +209,7 @@ control "cis_v140_4_13" { cis_item_id = "4.13" cis_level = "1" cis_type = "automated" - service = "cloudwatch" + service = "AWS/CloudWatch" }) } @@ -219,7 +223,7 @@ control "cis_v140_4_14" { cis_item_id = "4.14" cis_level = "1" cis_type = "automated" - service = "cloudwatch" + service = "AWS/CloudWatch" }) } @@ -233,6 +237,6 @@ control "cis_v140_4_15" { cis_item_id = "4.15" cis_level = "1" cis_type = "automated" - service = "cloudwatch" + service = "AWS/CloudWatch" }) } diff --git a/cis_v140/section_5.sp b/cis_v140/section_5.sp index 1912f1d4..fe47b31e 100644 --- a/cis_v140/section_5.sp +++ b/cis_v140/section_5.sp @@ -7,13 +7,17 @@ locals { benchmark "cis_v140_5" { title = "5 Networking" documentation = file("./cis_v140/docs/cis_v140_5.md") - tags = local.cis_v140_5_common_tags children = [ control.cis_v140_5_1, control.cis_v140_5_2, control.cis_v140_5_3, control.cis_v140_5_4 ] + + tags = merge(local.cis_v140_5_common_tags, { + service = "AWS/VPC" + type = "Benchmark" + }) } control "cis_v140_5_1" { @@ -26,7 +30,7 @@ control "cis_v140_5_1" { cis_item_id = "5.1" cis_level = "1" cis_type = "automated" - service = "vpc" + service = "AWS/VPC" }) } @@ -40,7 +44,7 @@ control "cis_v140_5_2" { cis_item_id = "5.2" cis_level = "1" cis_type = "automated" - service = "vpc" + service = "AWS/VPC" }) } @@ -54,7 +58,7 @@ control "cis_v140_5_3" { cis_item_id = "5.3" cis_level = "2" cis_type = "automated" - service = "vpc" + service = "AWS/VPC" }) } @@ -68,6 +72,6 @@ control "cis_v140_5_4" { cis_item_id = "5.4" cis_level = "2" cis_type = "manual" - service = "vpc" + service = "AWS/VPC" }) } diff --git a/conformance_pack/acm.sp b/conformance_pack/acm.sp index 25b74c8a..3fc34242 100644 --- a/conformance_pack/acm.sp +++ b/conformance_pack/acm.sp @@ -1,7 +1,7 @@ locals { - conformance_pack_acm_common_tags = { - service = "acm" - } + conformance_pack_acm_common_tags = merge(local.aws_compliance_common_tags, { + service = "AWS/ACM" + }) } control "acm_certificate_expires_30_days" { diff --git a/conformance_pack/apigateway.sp b/conformance_pack/apigateway.sp index 37d94009..db2e8717 100644 --- a/conformance_pack/apigateway.sp +++ b/conformance_pack/apigateway.sp @@ -1,7 +1,7 @@ locals { - conformance_pack_apigateway_common_tags = { - service = "apigateway" - } + conformance_pack_apigateway_common_tags = merge(local.aws_compliance_common_tags, { + service = "AWS/APIGateway" + }) } control "apigateway_stage_cache_encryption_at_rest_enabled" { diff --git a/conformance_pack/autoscaling.sp b/conformance_pack/autoscaling.sp index 379d38f7..516ad292 100644 --- a/conformance_pack/autoscaling.sp +++ b/conformance_pack/autoscaling.sp @@ -1,7 +1,7 @@ locals { - conformance_pack_autoscaling_common_tags = { - service = "autoscaling" - } + conformance_pack_autoscaling_common_tags = merge(local.aws_compliance_common_tags, { + service = "AWS/AutoScaling" + }) } control "autoscaling_group_with_lb_use_health_check" { diff --git a/conformance_pack/backup.sp b/conformance_pack/backup.sp index 28505699..32506555 100644 --- a/conformance_pack/backup.sp +++ b/conformance_pack/backup.sp @@ -1,7 +1,7 @@ locals { - conformance_pack_backup_common_tags = { - service = "backup" - } + conformance_pack_backup_common_tags = merge(local.aws_compliance_common_tags, { + service = "AWS/Backup" + }) } control "backup_recovery_point_manual_deletion_disabled" { diff --git a/conformance_pack/cloudfront.sp b/conformance_pack/cloudfront.sp index bc1b4315..198dd3ca 100644 --- a/conformance_pack/cloudfront.sp +++ b/conformance_pack/cloudfront.sp @@ -1,7 +1,7 @@ locals { - conformance_pack_cloudfront_common_tags = { - service = "cloudfront" - } + conformance_pack_cloudfront_common_tags = merge(local.aws_compliance_common_tags, { + service = "AWS/CloudFront" + }) } control "cloudfront_distribution_encryption_in_transit_enabled" { diff --git a/conformance_pack/cloudtrail.sp b/conformance_pack/cloudtrail.sp index aad3ec3c..f2a897c2 100644 --- a/conformance_pack/cloudtrail.sp +++ b/conformance_pack/cloudtrail.sp @@ -1,7 +1,7 @@ locals { - conformance_pack_cloudtrail_common_tags = { - service = "cloudtrail" - } + conformance_pack_cloudtrail_common_tags = merge(local.aws_compliance_common_tags, { + service = "AWS/CloudTrail" + }) } control "cloudtrail_trail_integrated_with_logs" { diff --git a/conformance_pack/cloudwatch.sp b/conformance_pack/cloudwatch.sp index bfab32be..1cda5ff8 100644 --- a/conformance_pack/cloudwatch.sp +++ b/conformance_pack/cloudwatch.sp @@ -1,7 +1,7 @@ locals { - conformance_pack_cloudwatch_common_tags = { - service = "cloudwatch" - } + conformance_pack_cloudwatch_common_tags = merge(local.aws_compliance_common_tags, { + service = "AWS/CloudWatch" + }) } control "cloudwatch_alarm_action_enabled" { diff --git a/conformance_pack/codebuild.sp b/conformance_pack/codebuild.sp index 737534bf..cbe1b6ca 100644 --- a/conformance_pack/codebuild.sp +++ b/conformance_pack/codebuild.sp @@ -1,7 +1,7 @@ locals { - conformance_pack_codebuild_common_tags = { - service = "codebuild" - } + conformance_pack_codebuild_common_tags = merge(local.aws_compliance_common_tags, { + service = "AWS/CodeBuild" + }) } control "codebuild_project_plaintext_env_variables_no_sensitive_aws_values" { diff --git a/conformance_pack/config.sp b/conformance_pack/config.sp index de8383c6..39804a4e 100644 --- a/conformance_pack/config.sp +++ b/conformance_pack/config.sp @@ -1,7 +1,7 @@ locals { - conformance_pack_config_common_tags = { - service = "config" - } + conformance_pack_config_common_tags = merge(local.aws_compliance_common_tags, { + service = "AWS/Config" + }) } control "config_enabled_all_regions" { diff --git a/conformance_pack/dax.sp b/conformance_pack/dax.sp index 8893bc2a..975b721d 100644 --- a/conformance_pack/dax.sp +++ b/conformance_pack/dax.sp @@ -1,7 +1,7 @@ locals { - conformance_pack_dax_common_tags = { - service = "dax" - } + conformance_pack_dax_common_tags = merge(local.aws_compliance_common_tags, { + service = "AWS/DAX" + }) } control "dax_cluster_encryption_at_rest_enabled" { diff --git a/conformance_pack/dms.sp b/conformance_pack/dms.sp index 58fe369f..dd797fcc 100644 --- a/conformance_pack/dms.sp +++ b/conformance_pack/dms.sp @@ -1,7 +1,7 @@ locals { - conformance_pack_dms_common_tags = { - service = "dms" - } + conformance_pack_dms_common_tags = merge(local.aws_compliance_common_tags, { + service = "AWS/DMS" + }) } control "dms_replication_instance_not_publicly_accessible" { diff --git a/conformance_pack/dynamodb.sp b/conformance_pack/dynamodb.sp index 431fb4ef..4ab8ed63 100644 --- a/conformance_pack/dynamodb.sp +++ b/conformance_pack/dynamodb.sp @@ -1,7 +1,7 @@ locals { - conformance_pack_dynamodb_common_tags = { - service = "dynamodb" - } + conformance_pack_dynamodb_common_tags = merge(local.aws_compliance_common_tags, { + service = "AWS/DynamoDB" + }) } control "dynamodb_table_auto_scaling_enabled" { diff --git a/conformance_pack/ebs.sp b/conformance_pack/ebs.sp index 1a2e91d3..8c4c1381 100644 --- a/conformance_pack/ebs.sp +++ b/conformance_pack/ebs.sp @@ -1,7 +1,7 @@ locals { - conformance_pack_ebs_common_tags = { - service = "ebs" - } + conformance_pack_ebs_common_tags = merge(local.aws_compliance_common_tags, { + service = "AWS/EBS" + }) } control "ebs_snapshot_not_publicly_restorable" { diff --git a/conformance_pack/ec2.sp b/conformance_pack/ec2.sp index 1ba061ce..bfd538b6 100644 --- a/conformance_pack/ec2.sp +++ b/conformance_pack/ec2.sp @@ -1,7 +1,7 @@ locals { - conformance_pack_ec2_common_tags = { - service = "ec2" - } + conformance_pack_ec2_common_tags = merge(local.aws_compliance_common_tags, { + service = "AWS/EC2" + }) } control "ec2_ebs_default_encryption_enabled" { diff --git a/conformance_pack/efs.sp b/conformance_pack/efs.sp index 8cac0642..aa3929e2 100644 --- a/conformance_pack/efs.sp +++ b/conformance_pack/efs.sp @@ -1,7 +1,7 @@ locals { - conformance_pack_efs_common_tags = { - service = "efs" - } + conformance_pack_efs_common_tags = merge(local.aws_compliance_common_tags, { + service = "AWS/EFS" + }) } control "efs_file_system_encrypt_data_at_rest" { diff --git a/conformance_pack/eks.sp b/conformance_pack/eks.sp index 4c847ae7..56a5ac15 100644 --- a/conformance_pack/eks.sp +++ b/conformance_pack/eks.sp @@ -1,7 +1,7 @@ locals { - conformance_pack_eks_common_tags = { - service = "eks" - } + conformance_pack_eks_common_tags = merge(local.aws_compliance_common_tags, { + service = "AWS/EKS" + }) } control "eks_cluster_secrets_encrypted" { diff --git a/conformance_pack/elasticache.sp b/conformance_pack/elasticache.sp index 4cf2232e..ae820f6a 100644 --- a/conformance_pack/elasticache.sp +++ b/conformance_pack/elasticache.sp @@ -1,7 +1,7 @@ locals { - conformance_pack_elasticache_common_tags = { - service = "elasticache" - } + conformance_pack_elasticache_common_tags = merge(local.aws_compliance_common_tags, { + service = "AWS/ElastiCache" + }) } control "elasticache_redis_cluster_automatic_backup_retention_15_days" { diff --git a/conformance_pack/elb.sp b/conformance_pack/elb.sp index 2235b106..c754d27e 100644 --- a/conformance_pack/elb.sp +++ b/conformance_pack/elb.sp @@ -1,7 +1,7 @@ locals { - conformance_pack_elb_common_tags = { - service = "elb" - } + conformance_pack_elb_common_tags = merge(local.aws_compliance_common_tags, { + service = "AWS/ELB" + }) } control "elb_application_classic_lb_logging_enabled" { diff --git a/conformance_pack/emr.sp b/conformance_pack/emr.sp index 7d79bc33..595c28de 100644 --- a/conformance_pack/emr.sp +++ b/conformance_pack/emr.sp @@ -1,7 +1,7 @@ locals { - conformance_pack_emr_common_tags = { - service = "emr" - } + conformance_pack_emr_common_tags = merge(local.aws_compliance_common_tags, { + service = "AWS/EMR" + }) } control "emr_cluster_kerberos_enabled" { diff --git a/conformance_pack/es.sp b/conformance_pack/es.sp index f3283364..aa1f7712 100644 --- a/conformance_pack/es.sp +++ b/conformance_pack/es.sp @@ -1,7 +1,7 @@ locals { - conformance_pack_es_common_tags = { - service = "es" - } + conformance_pack_es_common_tags = merge(local.aws_compliance_common_tags, { + service = "AWS/ES" + }) } control "es_domain_encryption_at_rest_enabled" { diff --git a/conformance_pack/fsx.sp b/conformance_pack/fsx.sp index 7cd8b462..aa6f855e 100644 --- a/conformance_pack/fsx.sp +++ b/conformance_pack/fsx.sp @@ -1,6 +1,6 @@ locals { conformance_pack_fsx_common_tags = { - service = "fsx" + service = "AWS/FSx" } } diff --git a/conformance_pack/guardduty.sp b/conformance_pack/guardduty.sp index 2c44b2f7..62ffbc80 100644 --- a/conformance_pack/guardduty.sp +++ b/conformance_pack/guardduty.sp @@ -1,7 +1,7 @@ locals { - conformance_pack_guardduty_common_tags = { - service = "guardduty" - } + conformance_pack_guardduty_common_tags = merge(local.aws_compliance_common_tags, { + service = "AWS/GuardDuty" + }) } control "guardduty_enabled" { diff --git a/conformance_pack/iam.sp b/conformance_pack/iam.sp index ff40b8be..2e1c0dbe 100644 --- a/conformance_pack/iam.sp +++ b/conformance_pack/iam.sp @@ -1,7 +1,7 @@ locals { - conformance_pack_iam_common_tags = { - service = "iam" - } + conformance_pack_iam_common_tags = merge(local.aws_compliance_common_tags, { + service = "AWS/IAM" + }) } control "iam_account_password_policy_strong_min_reuse_24" { diff --git a/conformance_pack/kms.sp b/conformance_pack/kms.sp index ff18083c..8cb759cb 100644 --- a/conformance_pack/kms.sp +++ b/conformance_pack/kms.sp @@ -1,7 +1,7 @@ locals { - conformance_pack_kms_common_tags = { - service = "kms" - } + conformance_pack_kms_common_tags = merge(local.aws_compliance_common_tags, { + service = "AWS/KMS" + }) } control "kms_key_not_pending_deletion" { diff --git a/conformance_pack/lambda.sp b/conformance_pack/lambda.sp index e0422f12..52cf8095 100644 --- a/conformance_pack/lambda.sp +++ b/conformance_pack/lambda.sp @@ -1,7 +1,7 @@ locals { - conformance_pack_lambda_common_tags = { - service = "lambda" - } + conformance_pack_lambda_common_tags = merge(local.aws_compliance_common_tags, { + service = "AWS/Lambda" + }) } control "lambda_function_dead_letter_queue_configured" { diff --git a/conformance_pack/manual_control.sp b/conformance_pack/manual_control.sp index 97f47504..8b8ce401 100644 --- a/conformance_pack/manual_control.sp +++ b/conformance_pack/manual_control.sp @@ -2,5 +2,4 @@ control "manual_control" { title = "Manual Control" description = "Manual verification is required." sql = query.manual_control.sql - -} +} \ No newline at end of file diff --git a/conformance_pack/rds.sp b/conformance_pack/rds.sp index 85fdf37a..158a08ac 100644 --- a/conformance_pack/rds.sp +++ b/conformance_pack/rds.sp @@ -1,7 +1,7 @@ locals { - conformance_pack_rds_common_tags = { - service = "rds" - } + conformance_pack_rds_common_tags = merge(local.aws_compliance_common_tags, { + service = "AWS/RDS" + }) } control "rds_db_instance_backup_enabled" { diff --git a/conformance_pack/redshift.sp b/conformance_pack/redshift.sp index 10aed6a1..3933d818 100644 --- a/conformance_pack/redshift.sp +++ b/conformance_pack/redshift.sp @@ -1,7 +1,7 @@ locals { - conformance_pack_redshift_common_tags = { - service = "redshift" - } + conformance_pack_redshift_common_tags = merge(local.aws_compliance_common_tags, { + service = "AWS/Redshift" + }) } control "redshift_cluster_encryption_in_transit_enabled" { diff --git a/conformance_pack/s3.sp b/conformance_pack/s3.sp index 66f34898..33a50fe6 100644 --- a/conformance_pack/s3.sp +++ b/conformance_pack/s3.sp @@ -1,7 +1,7 @@ locals { - conformance_pack_s3_common_tags = { - service = "s3" - } + conformance_pack_s3_common_tags = merge(local.aws_compliance_common_tags, { + service = "AWS/S3" + }) } control "s3_bucket_cross_region_replication_enabled" { diff --git a/conformance_pack/sagemaker.sp b/conformance_pack/sagemaker.sp index b69144c7..a7d6230d 100644 --- a/conformance_pack/sagemaker.sp +++ b/conformance_pack/sagemaker.sp @@ -1,7 +1,7 @@ locals { - conformance_pack_sagemaker_common_tags = { - service = "sagemaker" - } + conformance_pack_sagemaker_common_tags = merge(local.aws_compliance_common_tags, { + service = "AWS/SageMaker" + }) } control "sagemaker_notebook_instance_direct_internet_access_disabled" { diff --git a/conformance_pack/secretsmanager.sp b/conformance_pack/secretsmanager.sp index a97744b2..4840206a 100644 --- a/conformance_pack/secretsmanager.sp +++ b/conformance_pack/secretsmanager.sp @@ -1,7 +1,7 @@ locals { - conformance_pack_secretsmanager_common_tags = { - service = "secretsmanager" - } + conformance_pack_secretsmanager_common_tags = merge(local.aws_compliance_common_tags, { + service = "AWS/SecretsManager" + }) } control "secretsmanager_secret_automatic_rotation_enabled" { diff --git a/conformance_pack/securityhub.sp b/conformance_pack/securityhub.sp index 7b6c264c..04f9ffa1 100644 --- a/conformance_pack/securityhub.sp +++ b/conformance_pack/securityhub.sp @@ -1,7 +1,7 @@ locals { - conformance_pack_securityhub_common_tags = { - service = "securityhub" - } + conformance_pack_securityhub_common_tags = merge(local.aws_compliance_common_tags, { + service = "AWS/SecurityHub" + }) } control "securityhub_enabled" { diff --git a/conformance_pack/sns.sp b/conformance_pack/sns.sp index ecd70161..b68aac22 100644 --- a/conformance_pack/sns.sp +++ b/conformance_pack/sns.sp @@ -1,7 +1,7 @@ locals { - conformance_pack_sns_common_tags = { - service = "sns" - } + conformance_pack_sns_common_tags = merge(local.aws_compliance_common_tags, { + service = "AWS/SNS" + }) } control "sns_topic_encrypted_at_rest" { diff --git a/conformance_pack/ssm.sp b/conformance_pack/ssm.sp index 04af22d8..7153c940 100644 --- a/conformance_pack/ssm.sp +++ b/conformance_pack/ssm.sp @@ -1,7 +1,7 @@ locals { - conformance_pack_ssm_common_tags = { - service = "ssm" - } + conformance_pack_ssm_common_tags = merge(local.aws_compliance_common_tags, { + service = "AWS/SSM" + }) } control "ec2_instance_ssm_managed" { diff --git a/conformance_pack/vpc.sp b/conformance_pack/vpc.sp index d1e2ed54..2edfa4cd 100644 --- a/conformance_pack/vpc.sp +++ b/conformance_pack/vpc.sp @@ -1,7 +1,7 @@ locals { - conformance_pack_vpc_common_tags = { - service = "vpc" - } + conformance_pack_vpc_common_tags = merge(local.aws_compliance_common_tags, { + service = "AWS/VPC" + }) } control "vpc_flow_logs_enabled" { diff --git a/conformance_pack/wafv2.sp b/conformance_pack/wafv2.sp index 1e05c811..db6eb100 100644 --- a/conformance_pack/wafv2.sp +++ b/conformance_pack/wafv2.sp @@ -1,7 +1,7 @@ locals { - conformance_pack_wafv2_common_tags = { - service = "wafv2" - } + conformance_pack_wafv2_common_tags = merge(local.aws_compliance_common_tags, { + service = "AWS/WAFv2" + }) } control "wafv2_web_acl_logging_enabled" { diff --git a/foundational_security/acm.sp b/foundational_security/acm.sp index 04c8e8e9..d4718cc7 100644 --- a/foundational_security/acm.sp +++ b/foundational_security/acm.sp @@ -1,6 +1,6 @@ locals { foundational_security_acm_common_tags = merge(local.foundational_security_common_tags, { - service = "acm" + service = "AWS/ACM" }) } @@ -10,7 +10,10 @@ benchmark "foundational_security_acm" { children = [ control.foundational_security_acm_1 ] - tags = local.foundational_security_acm_common_tags + + tags = merge(local.foundational_security_acm_common_tags, { + type = "Benchmark" + }) } control "foundational_security_acm_1" { diff --git a/foundational_security/apigateway.sp b/foundational_security/apigateway.sp index 0740575f..06dea028 100644 --- a/foundational_security/apigateway.sp +++ b/foundational_security/apigateway.sp @@ -1,6 +1,6 @@ locals { foundational_security_apigateway_common_tags = merge(local.foundational_security_common_tags, { - service = "apigateway" + service = "AWS/APIGateway" }) } @@ -14,7 +14,10 @@ benchmark "foundational_security_apigateway" { control.foundational_security_apigateway_4, control.foundational_security_apigateway_5 ] - tags = local.foundational_security_apigateway_common_tags + + tags = merge(local.foundational_security_apigateway_common_tags, { + type = "Benchmark" + }) } control "foundational_security_apigateway_1" { diff --git a/foundational_security/autoscaling.sp b/foundational_security/autoscaling.sp index 9f800bba..6bcd7343 100644 --- a/foundational_security/autoscaling.sp +++ b/foundational_security/autoscaling.sp @@ -1,6 +1,6 @@ locals { foundational_security_autoscaling_common_tags = merge(local.foundational_security_common_tags, { - service = "autoscaling" + service = "AWS/AutoScaling" }) } @@ -12,7 +12,10 @@ benchmark "foundational_security_autoscaling" { control.foundational_security_autoscaling_2, control.foundational_security_autoscaling_5 ] - tags = local.foundational_security_autoscaling_common_tags + + tags = merge(local.foundational_security_autoscaling_common_tags, { + type = "Benchmark" + }) } control "foundational_security_autoscaling_1" { diff --git a/foundational_security/cloudfront.sp b/foundational_security/cloudfront.sp index f54eecc7..2e95dd14 100644 --- a/foundational_security/cloudfront.sp +++ b/foundational_security/cloudfront.sp @@ -1,6 +1,6 @@ locals { foundational_security_cloudfront_common_tags = merge(local.foundational_security_common_tags, { - service = "cloudfront" + service = "AWS/CloudFront" }) } @@ -18,7 +18,10 @@ benchmark "foundational_security_cloudfront" { control.foundational_security_cloudfront_8, control.foundational_security_cloudfront_9 ] - tags = local.foundational_security_cloudfront_common_tags + + tags = merge(local.foundational_security_cloudfront_common_tags, { + type = "Benchmark" + }) } control "foundational_security_cloudfront_1" { diff --git a/foundational_security/cloudtrail.sp b/foundational_security/cloudtrail.sp index 9f20e0ad..93916fa3 100644 --- a/foundational_security/cloudtrail.sp +++ b/foundational_security/cloudtrail.sp @@ -1,6 +1,6 @@ locals { foundational_security_cloudtrail_common_tags = merge(local.foundational_security_common_tags, { - service = "cloudtrail" + service = "AWS/CloudTrail" }) } @@ -13,7 +13,10 @@ benchmark "foundational_security_cloudtrail" { control.foundational_security_cloudtrail_4, control.foundational_security_cloudtrail_5 ] - tags = local.foundational_security_cloudtrail_common_tags + + tags = merge(local.foundational_security_cloudtrail_common_tags, { + type = "Benchmark" + }) } control "foundational_security_cloudtrail_1" { diff --git a/foundational_security/codebuild.sp b/foundational_security/codebuild.sp index b9e511d6..545472c7 100644 --- a/foundational_security/codebuild.sp +++ b/foundational_security/codebuild.sp @@ -1,6 +1,6 @@ locals { foundational_security_codebuild_common_tags = merge(local.foundational_security_common_tags, { - service = "codebuild" + service = "AWS/CodeBuild" }) } @@ -13,7 +13,10 @@ benchmark "foundational_security_codebuild" { control.foundational_security_codebuild_4, control.foundational_security_codebuild_5 ] - tags = local.foundational_security_codebuild_common_tags + + tags = merge(local.foundational_security_codebuild_common_tags, { + type = "Benchmark" + }) } control "foundational_security_codebuild_1" { diff --git a/foundational_security/config.sp b/foundational_security/config.sp index 530f4020..9fd94263 100644 --- a/foundational_security/config.sp +++ b/foundational_security/config.sp @@ -1,6 +1,6 @@ locals { foundational_security_config_common_tags = merge(local.foundational_security_common_tags, { - service = "config" + service = "AWS/Config" }) } @@ -10,7 +10,10 @@ benchmark "foundational_security_config" { children = [ control.foundational_security_config_1 ] - tags = local.foundational_security_config_common_tags + + tags = merge(local.foundational_security_config_common_tags, { + type = "Benchmark" + }) } control "foundational_security_config_1" { diff --git a/foundational_security/dms.sp b/foundational_security/dms.sp index b5ff6ebd..17bfb521 100644 --- a/foundational_security/dms.sp +++ b/foundational_security/dms.sp @@ -1,6 +1,6 @@ locals { foundational_security_dms_common_tags = merge(local.foundational_security_common_tags, { - service = "dms" + service = "AWS/DMS" }) } @@ -10,7 +10,10 @@ benchmark "foundational_security_dms" { children = [ control.foundational_security_dms_1 ] - tags = local.foundational_security_dms_common_tags + + tags = merge(local.foundational_security_dms_common_tags, { + type = "Benchmark" + }) } control "foundational_security_dms_1" { diff --git a/foundational_security/dynamodb.sp b/foundational_security/dynamodb.sp index f2ba22c2..aee16406 100644 --- a/foundational_security/dynamodb.sp +++ b/foundational_security/dynamodb.sp @@ -1,6 +1,6 @@ locals { foundational_security_dynamodb_common_tags = merge(local.foundational_security_common_tags, { - service = "dynamodb" + service = "AWS/DynamoDB" }) } @@ -12,7 +12,10 @@ benchmark "foundational_security_dynamodb" { control.foundational_security_dynamodb_2, control.foundational_security_dynamodb_3 ] - tags = local.foundational_security_dynamodb_common_tags + + tags = merge(local.foundational_security_dynamodb_common_tags, { + type = "Benchmark" + }) } control "foundational_security_dynamodb_1" { diff --git a/foundational_security/ec2.sp b/foundational_security/ec2.sp index 1fe0c68d..f68e2e84 100644 --- a/foundational_security/ec2.sp +++ b/foundational_security/ec2.sp @@ -1,6 +1,6 @@ locals { foundational_security_ec2_common_tags = merge(local.foundational_security_common_tags, { - service = "ec2" + service = "AWS/EC2" }) } @@ -25,7 +25,10 @@ benchmark "foundational_security_ec2" { control.foundational_security_ec2_21, control.foundational_security_ec2_22 ] - tags = local.foundational_security_ec2_common_tags + + tags = merge(local.foundational_security_ec2_common_tags, { + type = "Benchmark" + }) } control "foundational_security_ec2_1" { diff --git a/foundational_security/ecr.sp b/foundational_security/ecr.sp index 9ddf46bd..b1997aed 100644 --- a/foundational_security/ecr.sp +++ b/foundational_security/ecr.sp @@ -1,6 +1,6 @@ locals { foundational_security_ecr_common_tags = merge(local.foundational_security_common_tags, { - service = "ecr" + service = "AWS/ECR" }) } @@ -10,7 +10,10 @@ benchmark "foundational_security_ecr" { children = [ control.foundational_security_ecr_3 ] - tags = local.foundational_security_ecr_common_tags + + tags = merge(local.foundational_security_ecr_common_tags, { + type = "Benchmark" + }) } control "foundational_security_ecr_3" { @@ -24,4 +27,4 @@ control "foundational_security_ecr_3" { foundational_security_item_id = "ecr_3" foundational_security_category = "resource_configuration" }) -} \ No newline at end of file +} diff --git a/foundational_security/ecs.sp b/foundational_security/ecs.sp index a8466684..130b6aab 100644 --- a/foundational_security/ecs.sp +++ b/foundational_security/ecs.sp @@ -1,6 +1,6 @@ locals { foundational_security_ecs_common_tags = merge(local.foundational_security_common_tags, { - service = "ecs" + service = "AWS/ECS" }) } @@ -11,7 +11,10 @@ benchmark "foundational_security_ecs" { control.foundational_security_ecs_1, control.foundational_security_ecs_2 ] - tags = local.foundational_security_ecs_common_tags + + tags = merge(local.foundational_security_ecs_common_tags, { + type = "Benchmark" + }) } control "foundational_security_ecs_1" { diff --git a/foundational_security/efs.sp b/foundational_security/efs.sp index 8ee25213..85091c19 100644 --- a/foundational_security/efs.sp +++ b/foundational_security/efs.sp @@ -1,6 +1,6 @@ locals { foundational_security_efs_common_tags = merge(local.foundational_security_common_tags, { - service = "efs" + service = "AWS/EFS" }) } @@ -11,7 +11,10 @@ benchmark "foundational_security_efs" { control.foundational_security_efs_1, control.foundational_security_efs_2 ] - tags = local.foundational_security_efs_common_tags + + tags = merge(local.foundational_security_efs_common_tags, { + type = "Benchmark" + }) } control "foundational_security_efs_1" { diff --git a/foundational_security/elasticbeanstalk.sp b/foundational_security/elasticbeanstalk.sp index f82fe5fe..3f677e8c 100644 --- a/foundational_security/elasticbeanstalk.sp +++ b/foundational_security/elasticbeanstalk.sp @@ -1,6 +1,6 @@ locals { foundational_security_elasticbeanstalk_common_tags = merge(local.foundational_security_common_tags, { - service = "elasticbeanstalk" + service = "AWS/ElasticBeanstalk" }) } @@ -10,7 +10,10 @@ benchmark "foundational_security_elasticbeanstalk" { children = [ control.foundational_security_elasticbeanstalk_1 ] - tags = local.foundational_security_elasticbeanstalk_common_tags + + tags = merge(local.foundational_security_elasticbeanstalk_common_tags, { + type = "Benchmark" + }) } control "foundational_security_elasticbeanstalk_1" { diff --git a/foundational_security/elb.sp b/foundational_security/elb.sp index 6a313293..69728501 100644 --- a/foundational_security/elb.sp +++ b/foundational_security/elb.sp @@ -1,6 +1,6 @@ locals { foundational_security_elb_common_tags = merge(local.foundational_security_common_tags, { - service = "elb" + service = "AWS/ELB" }) } @@ -15,7 +15,10 @@ benchmark "foundational_security_elb" { control.foundational_security_elb_7, control.foundational_security_elb_10 ] - tags = local.foundational_security_elb_common_tags + + tags = merge(local.foundational_security_elb_common_tags, { + type = "Benchmark" + }) } control "foundational_security_elb_3" { diff --git a/foundational_security/elbv2.sp b/foundational_security/elbv2.sp index 3ee91148..697e95d4 100644 --- a/foundational_security/elbv2.sp +++ b/foundational_security/elbv2.sp @@ -1,6 +1,6 @@ locals { foundational_security_elbv2_common_tags = merge(local.foundational_security_common_tags, { - service = "elbv2" + service = "AWS/ELBv2" }) } @@ -10,7 +10,10 @@ benchmark "foundational_security_elbv2" { children = [ control.foundational_security_elbv2_1 ] - tags = local.foundational_security_elbv2_common_tags + + tags = merge(local.foundational_security_elbv2_common_tags, { + type = "Benchmark" + }) } control "foundational_security_elbv2_1" { diff --git a/foundational_security/emr.sp b/foundational_security/emr.sp index fc49f95f..85e60176 100644 --- a/foundational_security/emr.sp +++ b/foundational_security/emr.sp @@ -1,6 +1,6 @@ locals { foundational_security_emr_common_tags = merge(local.foundational_security_common_tags, { - service = "emr" + service = "AWS/EMR" }) } @@ -10,7 +10,10 @@ benchmark "foundational_security_emr" { children = [ control.foundational_security_emr_1 ] - tags = local.foundational_security_emr_common_tags + + tags = merge(local.foundational_security_emr_common_tags, { + type = "Benchmark" + }) } control "foundational_security_emr_1" { diff --git a/foundational_security/es.sp b/foundational_security/es.sp index 2240449b..1b48160f 100644 --- a/foundational_security/es.sp +++ b/foundational_security/es.sp @@ -1,6 +1,6 @@ locals { foundational_security_es_common_tags = merge(local.foundational_security_common_tags, { - service = "es" + service = "AWS/ES" }) } @@ -17,7 +17,10 @@ benchmark "foundational_security_es" { control.foundational_security_es_7, control.foundational_security_es_8 ] - tags = local.foundational_security_es_common_tags + + tags = merge(local.foundational_security_es_common_tags, { + type = "Benchmark" + }) } control "foundational_security_es_1" { diff --git a/foundational_security/foundational_security.sp b/foundational_security/foundational_security.sp index 64fb92c9..ac8a04fc 100644 --- a/foundational_security/foundational_security.sp +++ b/foundational_security/foundational_security.sp @@ -1,8 +1,7 @@ locals { - foundational_security_common_tags = { + foundational_security_common_tags = merge(local.aws_compliance_common_tags, { aws_foundational_security = "true" - plugin = "aws" - } + }) } benchmark "foundational_security" { @@ -42,5 +41,8 @@ benchmark "foundational_security" { benchmark.foundational_security_ssm, benchmark.foundational_security_sqs ] - tags = local.foundational_security_common_tags + + tags = merge(local.foundational_security_common_tags, { + type = "Benchmark" + }) } diff --git a/foundational_security/guardduty.sp b/foundational_security/guardduty.sp index 3a95b5c7..81d02b82 100644 --- a/foundational_security/guardduty.sp +++ b/foundational_security/guardduty.sp @@ -1,6 +1,6 @@ locals { foundational_security_guardduty_common_tags = merge(local.foundational_security_common_tags, { - service = "guardduty" + service = "AWS/GuardDuty" }) } @@ -10,7 +10,10 @@ benchmark "foundational_security_guardduty" { children = [ control.foundational_security_guardduty_1 ] - tags = local.foundational_security_guardduty_common_tags + + tags = merge(local.foundational_security_guardduty_common_tags, { + type = "Benchmark" + }) } control "foundational_security_guardduty_1" { diff --git a/foundational_security/iam.sp b/foundational_security/iam.sp index 4944a596..5be3d69a 100644 --- a/foundational_security/iam.sp +++ b/foundational_security/iam.sp @@ -1,6 +1,6 @@ locals { foundational_security_iam_common_tags = merge(local.foundational_security_common_tags, { - service = "iam" + service = "AWS/IAM" }) } @@ -18,7 +18,10 @@ benchmark "foundational_security_iam" { control.foundational_security_iam_8, control.foundational_security_iam_21 ] - tags = local.foundational_security_iam_common_tags + + tags = merge(local.foundational_security_iam_common_tags, { + type = "Benchmark" + }) } control "foundational_security_iam_1" { diff --git a/foundational_security/kms.sp b/foundational_security/kms.sp index db24ae05..e1720fa2 100644 --- a/foundational_security/kms.sp +++ b/foundational_security/kms.sp @@ -1,6 +1,6 @@ locals { foundational_security_kms_common_tags = merge(local.foundational_security_common_tags, { - service = "kms" + service = "AWS/KMS" }) } @@ -12,7 +12,10 @@ benchmark "foundational_security_kms" { control.foundational_security_kms_2, control.foundational_security_kms_3 ] - tags = local.foundational_security_kms_common_tags + + tags = merge(local.foundational_security_kms_common_tags, { + type = "Benchmark" + }) } control "foundational_security_kms_1" { diff --git a/foundational_security/lambda.sp b/foundational_security/lambda.sp index d8e83dde..2286c4fa 100644 --- a/foundational_security/lambda.sp +++ b/foundational_security/lambda.sp @@ -1,6 +1,6 @@ locals { foundational_security_lambda_common_tags = merge(local.foundational_security_common_tags, { - service = "lambda" + service = "AWS/Lambda" }) } @@ -13,7 +13,10 @@ benchmark "foundational_security_lambda" { control.foundational_security_lambda_4, control.foundational_security_lambda_5 ] - tags = local.foundational_security_lambda_common_tags + + tags = merge(local.foundational_security_lambda_common_tags, { + type = "Benchmark" + }) } control "foundational_security_lambda_1" { diff --git a/foundational_security/networkfirewall.sp b/foundational_security/networkfirewall.sp index 1f6f7598..dc879e60 100644 --- a/foundational_security/networkfirewall.sp +++ b/foundational_security/networkfirewall.sp @@ -1,6 +1,6 @@ locals { foundational_security_networkfirewall_common_tags = merge(local.foundational_security_common_tags, { - service = "networkfirewall" + service = "AWS/NetworkFirewall" }) } @@ -10,7 +10,10 @@ benchmark "foundational_security_networkfirewall" { children = [ control.foundational_security_networkfirewall_6 ] - tags = local.foundational_security_networkfirewall_common_tags + + tags = merge(local.foundational_security_networkfirewall_common_tags, { + type = "Benchmark" + }) } control "foundational_security_networkfirewall_6" { diff --git a/foundational_security/rds.sp b/foundational_security/rds.sp index 7d228457..045eb43e 100644 --- a/foundational_security/rds.sp +++ b/foundational_security/rds.sp @@ -1,6 +1,6 @@ locals { foundational_security_rds_common_tags = merge(local.foundational_security_common_tags, { - service = "rds" + service = "AWS/RDS" }) } @@ -33,7 +33,10 @@ benchmark "foundational_security_rds" { control.foundational_security_rds_24, control.foundational_security_rds_25 ] - tags = local.foundational_security_rds_common_tags + + tags = merge(local.foundational_security_rds_common_tags, { + type = "Benchmark" + }) } control "foundational_security_rds_1" { diff --git a/foundational_security/redshift.sp b/foundational_security/redshift.sp index 6b8909e2..27434253 100644 --- a/foundational_security/redshift.sp +++ b/foundational_security/redshift.sp @@ -1,6 +1,6 @@ locals { foundational_security_redshift_common_tags = merge(local.foundational_security_common_tags, { - service = "redshift" + service = "AWS/Redshift" }) } @@ -16,7 +16,10 @@ benchmark "foundational_security_redshift" { control.foundational_security_redshift_7, control.foundational_security_redshift_8 ] - tags = local.foundational_security_redshift_common_tags + + tags = merge(local.foundational_security_redshift_common_tags, { + type = "Benchmark" + }) } control "foundational_security_redshift_1" { diff --git a/foundational_security/s3.sp b/foundational_security/s3.sp index 2c527fad..47e6aa9c 100644 --- a/foundational_security/s3.sp +++ b/foundational_security/s3.sp @@ -1,6 +1,6 @@ locals { foundational_security_s3_common_tags = merge(local.foundational_security_common_tags, { - service = "s3" + service = "AWS/S3" }) } @@ -19,7 +19,10 @@ benchmark "foundational_security_s3" { control.foundational_security_s3_10, control.foundational_security_s3_11 ] - tags = local.foundational_security_s3_common_tags + + tags = merge(local.foundational_security_s3_common_tags, { + type = "Benchmark" + }) } control "foundational_security_s3_1" { diff --git a/foundational_security/sagemaker.sp b/foundational_security/sagemaker.sp index df63904c..533fa61a 100644 --- a/foundational_security/sagemaker.sp +++ b/foundational_security/sagemaker.sp @@ -1,6 +1,6 @@ locals { foundational_security_sagemaker_common_tags = merge(local.foundational_security_common_tags, { - service = "sagemaker" + service = "AWS/SageMaker" }) } @@ -10,7 +10,10 @@ benchmark "foundational_security_sagemaker" { children = [ control.foundational_security_sagemaker_1 ] - tags = local.foundational_security_sagemaker_common_tags + + tags = merge(local.foundational_security_sagemaker_common_tags, { + type = "Benchmark" + }) } control "foundational_security_sagemaker_1" { diff --git a/foundational_security/secretsmanager.sp b/foundational_security/secretsmanager.sp index 1cd5d53a..44bf4d51 100644 --- a/foundational_security/secretsmanager.sp +++ b/foundational_security/secretsmanager.sp @@ -1,6 +1,6 @@ locals { foundational_security_secretsmanager_common_tags = merge(local.foundational_security_common_tags, { - service = "secretsmanager" + service = "AWS/SecretsManager" }) } @@ -13,7 +13,10 @@ benchmark "foundational_security_secretsmanager" { control.foundational_security_secretsmanager_3, control.foundational_security_secretsmanager_4 ] - tags = local.foundational_security_secretsmanager_common_tags + + tags = merge(local.foundational_security_secretsmanager_common_tags, { + type = "Benchmark" + }) } control "foundational_security_secretsmanager_1" { diff --git a/foundational_security/sns.sp b/foundational_security/sns.sp index d9045dce..02dc31a8 100644 --- a/foundational_security/sns.sp +++ b/foundational_security/sns.sp @@ -1,6 +1,6 @@ locals { foundational_security_sns_common_tags = merge(local.foundational_security_common_tags, { - service = "sns" + service = "AWS/SNS" }) } @@ -10,7 +10,10 @@ benchmark "foundational_security_sns" { children = [ control.foundational_security_sns_1 ] - tags = local.foundational_security_sns_common_tags + + tags = merge(local.foundational_security_sns_common_tags, { + type = "Benchmark" + }) } control "foundational_security_sns_1" { diff --git a/foundational_security/sqs.sp b/foundational_security/sqs.sp index d3ed1bb7..437aff33 100644 --- a/foundational_security/sqs.sp +++ b/foundational_security/sqs.sp @@ -1,6 +1,6 @@ locals { foundational_security_sqs_common_tags = merge(local.foundational_security_common_tags, { - service = "sqs" + service = "AWS/SQS" }) } @@ -10,7 +10,10 @@ benchmark "foundational_security_sqs" { children = [ control.foundational_security_sqs_1 ] - tags = local.foundational_security_sqs_common_tags + + tags = merge(local.foundational_security_sqs_common_tags, { + type = "Benchmark" + }) } control "foundational_security_sqs_1" { diff --git a/foundational_security/ssm.sp b/foundational_security/ssm.sp index 58ff7d52..b1c57f7b 100644 --- a/foundational_security/ssm.sp +++ b/foundational_security/ssm.sp @@ -1,6 +1,6 @@ locals { foundational_security_ssm_common_tags = merge(local.foundational_security_common_tags, { - service = "ssm" + service = "AWS/SSM" }) } @@ -12,7 +12,10 @@ benchmark "foundational_security_ssm" { control.foundational_security_ssm_2, control.foundational_security_ssm_3 ] - tags = local.foundational_security_ssm_common_tags + + tags = merge(local.foundational_security_ssm_common_tags, { + type = "Benchmark" + }) } control "foundational_security_ssm_1" { diff --git a/gdpr/gdpr.sp b/gdpr/gdpr.sp index 77c33a9c..8df8df95 100644 --- a/gdpr/gdpr.sp +++ b/gdpr/gdpr.sp @@ -1,8 +1,8 @@ locals { - gdpr_common_tags = { - gdpr = "true" - plugin = "aws" - } + gdpr_common_tags = merge(local.aws_compliance_common_tags, { + gdpr = "true" + type = "Benchmark" + }) } benchmark "gdpr" { diff --git a/hipaa/164_308/164_308_a_3_ii_b.sp b/hipaa/164_308/164_308_a_3_ii_b.sp index 982829f2..53e669e7 100644 --- a/hipaa/164_308/164_308_a_3_ii_b.sp +++ b/hipaa/164_308/164_308_a_3_ii_b.sp @@ -12,5 +12,6 @@ benchmark "hipaa_164_308_a_3_ii_b" { tags = merge(local.hipaa_164_308_common_tags, { hipaa_item_id = "164_308_a_3_ii_b" + service = "AWS/IAM" }) } diff --git a/hipaa/164_308/164_308_a_3_ii_c.sp b/hipaa/164_308/164_308_a_3_ii_c.sp index 4804db67..4b7247c4 100644 --- a/hipaa/164_308/164_308_a_3_ii_c.sp +++ b/hipaa/164_308/164_308_a_3_ii_c.sp @@ -7,5 +7,6 @@ benchmark "hipaa_164_308_a_3_ii_c" { tags = merge(local.hipaa_164_308_common_tags, { hipaa_item_id = "164_308_a_3_ii_c" + service = "AWS/IAM" }) } \ No newline at end of file diff --git a/hipaa/164_308/164_308_a_4_i.sp b/hipaa/164_308/164_308_a_4_i.sp index bbcc6eed..7a5ddd6d 100644 --- a/hipaa/164_308/164_308_a_4_i.sp +++ b/hipaa/164_308/164_308_a_4_i.sp @@ -10,5 +10,6 @@ benchmark "hipaa_164_308_a_4_i" { tags = merge(local.hipaa_164_308_common_tags, { hipaa_item_id = "164_308_a_4_i" + service = "AWS/IAM" }) } diff --git a/hipaa/164_308/164_308_a_4_ii_b.sp b/hipaa/164_308/164_308_a_4_ii_b.sp index d9021a39..c82a82e2 100644 --- a/hipaa/164_308/164_308_a_4_ii_b.sp +++ b/hipaa/164_308/164_308_a_4_ii_b.sp @@ -10,5 +10,6 @@ benchmark "hipaa_164_308_a_4_ii_b" { tags = merge(local.hipaa_164_308_common_tags, { hipaa_item_id = "164_308_a_4_ii_b" + service = "AWS/IAM" }) } diff --git a/hipaa/164_308/164_308_a_5_ii_d.sp b/hipaa/164_308/164_308_a_5_ii_d.sp index 39edf0c8..fc8c36fe 100644 --- a/hipaa/164_308/164_308_a_5_ii_d.sp +++ b/hipaa/164_308/164_308_a_5_ii_d.sp @@ -15,5 +15,6 @@ benchmark "hipaa_164_308_a_5_ii_d" { tags = merge(local.hipaa_164_308_common_tags, { hipaa_item_id = "164_308_a_5_ii_d" + service = "AWS/IAM" }) } diff --git a/hipaa/164_312/164_312_d.sp b/hipaa/164_312/164_312_d.sp index 466bb5e8..eeb07441 100644 --- a/hipaa/164_312/164_312_d.sp +++ b/hipaa/164_312/164_312_d.sp @@ -11,5 +11,6 @@ benchmark "hipaa_164_312_d" { tags = merge(local.hipaa_164_312_common_tags, { hipaa_item_id = "164_312_d" + service = "AWS/IAM" }) } \ No newline at end of file diff --git a/hipaa/hipaa.sp b/hipaa/hipaa.sp index 1f2f7446..c4363a67 100644 --- a/hipaa/hipaa.sp +++ b/hipaa/hipaa.sp @@ -1,8 +1,8 @@ locals { - hipaa_common_tags = { - hipaa = "true" - plugin = "aws" - } + hipaa_common_tags = merge(local.aws_compliance_common_tags, { + hipaa = "true" + type = "Benchmark" + }) } benchmark "hipaa" { diff --git a/mod.sp b/mod.sp index 4d23e6a6..f70b8354 100644 --- a/mod.sp +++ b/mod.sp @@ -1,3 +1,12 @@ +// Benchmarks and controls for specific services should override the "service" tag +locals { + aws_compliance_common_tags = { + category = "Compliance" + plugin = "aws" + service = "AWS" + } +} + mod "aws_compliance" { # hub metadata title = "AWS Compliance" @@ -8,9 +17,9 @@ mod "aws_compliance" { categories = ["aws", "cis", "compliance", "pci dss", "public cloud", "security"] opengraph { - title = "Steampipe Mod for AWS Compliance" - description = "Run individual configuration, compliance and security controls or full compliance benchmarks for CIS, PCI, NIST, HIPAA, RBI CSF, GDPR, SOC 2, Audit Manager Control Tower and AWS Foundational Security Best Practices controls across all your AWS accounts using Steampipe." - image = "/images/mods/turbot/aws-compliance-social-graphic.png" + title = "Steampipe Mod for AWS Compliance" + description = "Run individual configuration, compliance and security controls or full compliance benchmarks for CIS, PCI, NIST, HIPAA, RBI CSF, GDPR, SOC 2, Audit Manager Control Tower and AWS Foundational Security Best Practices controls across all your AWS accounts using Steampipe." + image = "/images/mods/turbot/aws-compliance-social-graphic.png" } requires { diff --git a/nist_800_53_rev_4/ac.sp b/nist_800_53_rev_4/ac.sp index 0847d3c9..a28293c7 100644 --- a/nist_800_53_rev_4/ac.sp +++ b/nist_800_53_rev_4/ac.sp @@ -69,7 +69,9 @@ benchmark "nist_800_53_rev_4_ac_2_3" { control.iam_user_unused_credentials_90 ] - tags = local.nist_800_53_rev_4_common_tags + tags = merge(local.nist_800_53_rev_4_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_4_ac_2_4" { @@ -206,7 +208,9 @@ benchmark "nist_800_53_rev_4_ac_6_10" { control.iam_root_user_no_access_keys ] - tags = local.nist_800_53_rev_4_common_tags + tags = merge(local.nist_800_53_rev_4_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_4_ac_17" { @@ -255,7 +259,9 @@ benchmark "nist_800_53_rev_4_ac_17_3" { control.vpc_igw_attached_to_authorized_vpc ] - tags = local.nist_800_53_rev_4_common_tags + tags = merge(local.nist_800_53_rev_4_common_tags, { + service = "AWS/VPC" + }) } benchmark "nist_800_53_rev_4_ac_21" { diff --git a/nist_800_53_rev_4/au.sp b/nist_800_53_rev_4/au.sp index 8744b299..de8f6d15 100644 --- a/nist_800_53_rev_4/au.sp +++ b/nist_800_53_rev_4/au.sp @@ -131,7 +131,9 @@ benchmark "nist_800_53_rev_4_au_9_2" { control.s3_bucket_cross_region_replication_enabled ] - tags = local.nist_800_53_rev_4_common_tags + tags = merge(local.nist_800_53_rev_4_common_tags, { + service = "AWS/S3" + }) } benchmark "nist_800_53_rev_4_au_11" { @@ -141,7 +143,9 @@ benchmark "nist_800_53_rev_4_au_11" { control.cloudwatch_log_group_retention_period_365 ] - tags = local.nist_800_53_rev_4_common_tags + tags = merge(local.nist_800_53_rev_4_common_tags, { + service = "AWS/CloudWatch" + }) } benchmark "nist_800_53_rev_4_au_12" { diff --git a/nist_800_53_rev_4/cm.sp b/nist_800_53_rev_4/cm.sp index 428dd4aa..ce54262a 100644 --- a/nist_800_53_rev_4/cm.sp +++ b/nist_800_53_rev_4/cm.sp @@ -55,7 +55,9 @@ benchmark "nist_800_53_rev_4_cm_8_1" { control.ec2_instance_ssm_managed ] - tags = local.nist_800_53_rev_4_common_tags + tags = merge(local.nist_800_53_rev_4_common_tags, { + service = "AWS/EC2" + }) } benchmark "nist_800_53_rev_4_cm_8_3" { diff --git a/nist_800_53_rev_4/ia.sp b/nist_800_53_rev_4/ia.sp index 165d2443..c7384953 100644 --- a/nist_800_53_rev_4/ia.sp +++ b/nist_800_53_rev_4/ia.sp @@ -32,7 +32,9 @@ benchmark "nist_800_53_rev_4_ia_2_1" { control.iam_user_mfa_enabled ] - tags = local.nist_800_53_rev_4_common_tags + tags = merge(local.nist_800_53_rev_4_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_4_ia_2_2" { @@ -43,7 +45,9 @@ benchmark "nist_800_53_rev_4_ia_2_2" { control.iam_user_mfa_enabled ] - tags = local.nist_800_53_rev_4_common_tags + tags = merge(local.nist_800_53_rev_4_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_4_ia_2_11" { @@ -56,7 +60,9 @@ benchmark "nist_800_53_rev_4_ia_2_11" { control.iam_user_mfa_enabled ] - tags = local.nist_800_53_rev_4_common_tags + tags = merge(local.nist_800_53_rev_4_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_4_ia_5" { @@ -78,7 +84,9 @@ benchmark "nist_800_53_rev_4_ia_5_1" { control.iam_account_password_policy_strong_min_reuse_24 ] - tags = local.nist_800_53_rev_4_common_tags + tags = merge(local.nist_800_53_rev_4_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_4_ia_5_4" { @@ -88,7 +96,9 @@ benchmark "nist_800_53_rev_4_ia_5_4" { control.iam_account_password_policy_strong_min_reuse_24 ] - tags = local.nist_800_53_rev_4_common_tags + tags = merge(local.nist_800_53_rev_4_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_4_ia_5_7" { @@ -98,5 +108,7 @@ benchmark "nist_800_53_rev_4_ia_5_7" { control.codebuild_project_plaintext_env_variables_no_sensitive_aws_values ] - tags = local.nist_800_53_rev_4_common_tags + tags = merge(local.nist_800_53_rev_4_common_tags, { + service = "AWS/CodeBuild" + }) } diff --git a/nist_800_53_rev_4/ir.sp b/nist_800_53_rev_4/ir.sp index ddaf26d7..7dcbb4f4 100644 --- a/nist_800_53_rev_4/ir.sp +++ b/nist_800_53_rev_4/ir.sp @@ -48,7 +48,9 @@ benchmark "nist_800_53_rev_4_ir_6_1" { control.guardduty_finding_archived ] - tags = local.nist_800_53_rev_4_common_tags + tags = merge(local.nist_800_53_rev_4_common_tags, { + service = "AWS/GuardDuty" + }) } benchmark "nist_800_53_rev_4_ir_7" { @@ -68,5 +70,7 @@ benchmark "nist_800_53_rev_4_ir_7_1" { control.guardduty_finding_archived ] - tags = local.nist_800_53_rev_4_common_tags + tags = merge(local.nist_800_53_rev_4_common_tags, { + service = "AWS/GuardDuty" + }) } diff --git a/nist_800_53_rev_4/nist_800_53_rev_4.sp b/nist_800_53_rev_4/nist_800_53_rev_4.sp index a86704a1..baeca9d2 100644 --- a/nist_800_53_rev_4/nist_800_53_rev_4.sp +++ b/nist_800_53_rev_4/nist_800_53_rev_4.sp @@ -1,8 +1,8 @@ locals { - nist_800_53_rev_4_common_tags = { + nist_800_53_rev_4_common_tags = merge(local.aws_compliance_common_tags, { nist_800_53_rev_4 = "true" - plugin = "aws" - } + type = "Benchmark" + }) } benchmark "nist_800_53_rev_4" { diff --git a/nist_800_53_rev_4/ra.sp b/nist_800_53_rev_4/ra.sp index 2be8b4fc..1f679dfe 100644 --- a/nist_800_53_rev_4/ra.sp +++ b/nist_800_53_rev_4/ra.sp @@ -16,5 +16,7 @@ benchmark "nist_800_53_rev_4_ra_5" { control.guardduty_finding_archived ] - tags = local.nist_800_53_rev_4_common_tags + tags = merge(local.nist_800_53_rev_4_common_tags, { + service = "AWS/GuardDuty" + }) } diff --git a/nist_800_53_rev_4/sc.sp b/nist_800_53_rev_4/sc.sp index b87f2edf..0fb501e0 100644 --- a/nist_800_53_rev_4/sc.sp +++ b/nist_800_53_rev_4/sc.sp @@ -24,7 +24,9 @@ benchmark "nist_800_53_rev_4_sc_2" { control.iam_policy_no_star_star ] - tags = local.nist_800_53_rev_4_common_tags + tags = merge(local.nist_800_53_rev_4_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_4_sc_4" { @@ -34,7 +36,9 @@ benchmark "nist_800_53_rev_4_sc_4" { control.ebs_attached_volume_delete_on_termination_enabled ] - tags = local.nist_800_53_rev_4_common_tags + tags = merge(local.nist_800_53_rev_4_common_tags, { + service = "AWS/EBS" + }) } benchmark "nist_800_53_rev_4_sc_5" { @@ -173,7 +177,9 @@ benchmark "nist_800_53_rev_4_sc_13" { control.dynamodb_table_encrypted_with_kms_cmk ] - tags = local.nist_800_53_rev_4_common_tags + tags = merge(local.nist_800_53_rev_4_common_tags, { + service = "AWS/DynamoDB" + }) } benchmark "nist_800_53_rev_4_sc_23" { @@ -185,7 +191,9 @@ benchmark "nist_800_53_rev_4_sc_23" { control.elb_classic_lb_use_tls_https_listeners ] - tags = local.nist_800_53_rev_4_common_tags + tags = merge(local.nist_800_53_rev_4_common_tags, { + service = "AWS/ELB" + }) } benchmark "nist_800_53_rev_4_sc_28" { diff --git a/nist_800_53_rev_4/si.sp b/nist_800_53_rev_4/si.sp index c9cc5347..17109413 100644 --- a/nist_800_53_rev_4/si.sp +++ b/nist_800_53_rev_4/si.sp @@ -62,7 +62,9 @@ benchmark "nist_800_53_rev_4_si_4_1" { control.guardduty_enabled ] - tags = local.nist_800_53_rev_4_common_tags + tags = merge(local.nist_800_53_rev_4_common_tags, { + service = "AWS/GuardDuty" + }) } benchmark "nist_800_53_rev_4_si_4_2" { diff --git a/nist_csf/function_de.sp b/nist_csf/function_de.sp index 71cdf989..b85564fc 100644 --- a/nist_csf/function_de.sp +++ b/nist_csf/function_de.sp @@ -289,5 +289,7 @@ benchmark "nist_csf_de_dp_5" { control.ec2_instance_detailed_monitoring_enabled ] - tags = local.nist_csf_common_tags + tags = merge(local.nist_csf_common_tags, { + service = "AWS/EC2" + }) } diff --git a/nist_csf/function_id.sp b/nist_csf/function_id.sp index 9b62b806..4acfff74 100644 --- a/nist_csf/function_id.sp +++ b/nist_csf/function_id.sp @@ -86,7 +86,9 @@ benchmark "nist_csf_id_am_6" { control.iam_user_in_group ] - tags = local.nist_csf_common_tags + tags = merge(local.nist_csf_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_csf_id_be" { diff --git a/nist_csf/function_pr.sp b/nist_csf/function_pr.sp index 3d0684a5..06afd4a3 100644 --- a/nist_csf/function_pr.sp +++ b/nist_csf/function_pr.sp @@ -156,7 +156,9 @@ benchmark "nist_csf_pr_ac_7" { control.iam_user_mfa_enabled ] - tags = local.nist_csf_common_tags + tags = merge(local.nist_csf_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_csf_pr_ds" { @@ -288,7 +290,9 @@ benchmark "nist_csf_pr_ds_6" { control.cloudtrail_trail_validation_enabled ] - tags = local.nist_csf_common_tags + tags = merge(local.nist_csf_common_tags, { + service = "AWS/CloudTrail" + }) } benchmark "nist_csf_pr_ds_7" { @@ -374,7 +378,9 @@ benchmark "nist_csf_pr_ip_3" { control.elb_application_lb_deletion_protection_enabled ] - tags = local.nist_csf_common_tags + tags = merge(local.nist_csf_common_tags, { + service = "AWS/ELB" + }) } benchmark "nist_csf_pr_ip_4" { @@ -400,7 +406,9 @@ benchmark "nist_csf_pr_ip_7" { control.ec2_instance_ebs_optimized ] - tags = local.nist_csf_common_tags + tags = merge(local.nist_csf_common_tags, { + service = "AWS/EC2" + }) } benchmark "nist_csf_pr_ip_8" { @@ -496,7 +504,9 @@ benchmark "nist_csf_pr_ma_2" { control.cloudtrail_trail_enabled ] - tags = local.nist_csf_common_tags + tags = merge(local.nist_csf_common_tags, { + service = "AWS/CloudTrail" + }) } benchmark "nist_csf_pr_pt" { diff --git a/nist_csf/function_rs.sp b/nist_csf/function_rs.sp index 686ecd5f..d973a52a 100644 --- a/nist_csf/function_rs.sp +++ b/nist_csf/function_rs.sp @@ -30,7 +30,9 @@ benchmark "nist_csf_rs_an_2" { control.guardduty_finding_archived ] - tags = local.nist_csf_common_tags + tags = merge(local.nist_csf_common_tags, { + service = "AWS/GuardDuty" + }) } benchmark "nist_csf_rs_mi" { @@ -52,7 +54,9 @@ benchmark "nist_csf_rs_mi_3" { control.guardduty_finding_archived ] - tags = local.nist_csf_common_tags + tags = merge(local.nist_csf_common_tags, { + service = "AWS/GuardDuty" + }) } benchmark "nist_csf_rs_rp" { diff --git a/nist_csf/nist_csf.sp b/nist_csf/nist_csf.sp index f3e18f71..6e7abfe9 100644 --- a/nist_csf/nist_csf.sp +++ b/nist_csf/nist_csf.sp @@ -1,8 +1,8 @@ locals { - nist_csf_common_tags = { + nist_csf_common_tags = merge(local.aws_compliance_common_tags, { nist_csf = "true" - plugin = "aws" - } + type = "Benchmark" + }) } benchmark "nist_csf" { diff --git a/pci_v321/autoscaling.sp b/pci_v321/autoscaling.sp index fcb444f7..23919f9d 100644 --- a/pci_v321/autoscaling.sp +++ b/pci_v321/autoscaling.sp @@ -1,6 +1,6 @@ locals { pci_v321_autoscaling_common_tags = merge(local.pci_v321_common_tags, { - service = "autoscaling" + service = "AWS/AutoScaling" }) } @@ -10,7 +10,10 @@ benchmark "pci_v321_autoscaling" { children = [ control.pci_v321_autoscaling_1, ] - tags = local.pci_v321_autoscaling_common_tags + + tags = merge(local.pci_v321_autoscaling_common_tags, { + type = "Benchmark" + }) } control "pci_v321_autoscaling_1" { diff --git a/pci_v321/cloudtrail.sp b/pci_v321/cloudtrail.sp index a4727600..04ad766f 100644 --- a/pci_v321/cloudtrail.sp +++ b/pci_v321/cloudtrail.sp @@ -1,6 +1,6 @@ locals { pci_v321_cloudtrail_common_tags = merge(local.pci_v321_common_tags, { - service = "cloudtrail" + service = "AWS/CloudTrail" }) } @@ -13,7 +13,10 @@ benchmark "pci_v321_cloudtrail" { control.pci_v321_cloudtrail_3, control.pci_v321_cloudtrail_4 ] - tags = local.pci_v321_cloudtrail_common_tags + + tags = merge(local.pci_v321_cloudtrail_common_tags, { + type = "Benchmark" + }) } control "pci_v321_cloudtrail_1" { diff --git a/pci_v321/codebuild.sp b/pci_v321/codebuild.sp index fa8dbb93..03ebf774 100644 --- a/pci_v321/codebuild.sp +++ b/pci_v321/codebuild.sp @@ -1,6 +1,6 @@ locals { pci_v321_codebuild_common_tags = merge(local.pci_v321_common_tags, { - service = "codebuild" + service = "AWS/CodeBuild" }) } @@ -11,7 +11,10 @@ benchmark "pci_v321_codebuild" { control.pci_v321_codebuild_1, control.pci_v321_codebuild_2 ] - tags = local.pci_v321_codebuild_common_tags + + tags = merge(local.pci_v321_codebuild_common_tags, { + type = "Benchmark" + }) } control "pci_v321_codebuild_1" { diff --git a/pci_v321/config.sp b/pci_v321/config.sp index 2c4023ca..77e38c5a 100644 --- a/pci_v321/config.sp +++ b/pci_v321/config.sp @@ -1,6 +1,6 @@ locals { pci_v321_config_common_tags = merge(local.pci_v321_common_tags, { - service = "config" + service = "AWS/Config" }) } @@ -10,7 +10,10 @@ benchmark "pci_v321_config" { children = [ control.pci_v321_config_1 ] - tags = local.pci_v321_config_common_tags + + tags = merge(local.pci_v321_config_common_tags, { + type = "Benchmark" + }) } control "pci_v321_config_1" { diff --git a/pci_v321/cw.sp b/pci_v321/cw.sp index d2f6897f..0c2cf9f9 100644 --- a/pci_v321/cw.sp +++ b/pci_v321/cw.sp @@ -1,6 +1,6 @@ locals { pci_v321_cw_common_tags = merge(local.pci_v321_common_tags, { - service = "cloudwatch" + service = "AWS/CloudWatch" }) } @@ -10,7 +10,10 @@ benchmark "pci_v321_cw" { children = [ control.pci_v321_cw_1 ] - tags = local.pci_v321_cw_common_tags + + tags = merge(local.pci_v321_cw_common_tags, { + type = "Benchmark" + }) } control "pci_v321_cw_1" { diff --git a/pci_v321/dms.sp b/pci_v321/dms.sp index cb0871f9..b3802821 100644 --- a/pci_v321/dms.sp +++ b/pci_v321/dms.sp @@ -1,6 +1,6 @@ locals { pci_v321_dms_common_tags = merge(local.pci_v321_common_tags, { - service = "dms" + service = "AWS/DMS" }) } @@ -10,7 +10,10 @@ benchmark "pci_v321_dms" { children = [ control.pci_v321_dms_1 ] - tags = local.pci_v321_dms_common_tags + + tags = merge(local.pci_v321_dms_common_tags, { + type = "Benchmark" + }) } control "pci_v321_dms_1" { diff --git a/pci_v321/ec2.sp b/pci_v321/ec2.sp index 0daf81f4..87cff67a 100644 --- a/pci_v321/ec2.sp +++ b/pci_v321/ec2.sp @@ -1,6 +1,6 @@ locals { pci_v321_ec2_common_tags = merge(local.pci_v321_common_tags, { - service = "ec2" + service = "AWS/EC2" }) } @@ -15,7 +15,10 @@ benchmark "pci_v321_ec2" { control.pci_v321_ec2_5, control.pci_v321_ec2_6, ] - tags = local.pci_v321_ec2_common_tags + + tags = merge(local.pci_v321_ec2_common_tags, { + type = "Benchmark" + }) } control "pci_v321_ec2_1" { diff --git a/pci_v321/elbv2.sp b/pci_v321/elbv2.sp index c3944462..22fdecbe 100644 --- a/pci_v321/elbv2.sp +++ b/pci_v321/elbv2.sp @@ -1,6 +1,6 @@ locals { pci_v321_elbv2_common_tags = merge(local.pci_v321_common_tags, { - service = "elbv2" + service = "AWS/ELBv2" }) } @@ -10,7 +10,10 @@ benchmark "pci_v321_elbv2" { children = [ control.pci_v321_elbv2_1 ] - tags = local.pci_v321_elbv2_common_tags + + tags = merge(local.pci_v321_elbv2_common_tags, { + type = "Benchmark" + }) } control "pci_v321_elbv2_1" { diff --git a/pci_v321/es.sp b/pci_v321/es.sp index facecd2f..3463eccf 100644 --- a/pci_v321/es.sp +++ b/pci_v321/es.sp @@ -1,6 +1,6 @@ locals { pci_v321_es_common_tags = merge(local.pci_v321_common_tags, { - service = "es" + service = "AWS/ES" }) } @@ -11,7 +11,10 @@ benchmark "pci_v321_es" { control.pci_v321_es_1, control.pci_v321_es_2, ] - tags = local.pci_v321_es_common_tags + + tags = merge(local.pci_v321_es_common_tags, { + type = "Benchmark" + }) } control "pci_v321_es_1" { diff --git a/pci_v321/guardduty.sp b/pci_v321/guardduty.sp index 815faad3..2873dcf9 100644 --- a/pci_v321/guardduty.sp +++ b/pci_v321/guardduty.sp @@ -1,6 +1,6 @@ locals { pci_v321_guardduty_common_tags = merge(local.pci_v321_common_tags, { - service = "guardduty" + service = "AWS/GuardDuty" }) } @@ -10,7 +10,10 @@ benchmark "pci_v321_guardduty" { children = [ control.pci_v321_guardduty_1 ] - tags = local.pci_v321_guardduty_common_tags + + tags = merge(local.pci_v321_guardduty_common_tags, { + type = "Benchmark" + }) } control "pci_v321_guardduty_1" { diff --git a/pci_v321/iam.sp b/pci_v321/iam.sp index afe2fcb8..6a2c0ff5 100644 --- a/pci_v321/iam.sp +++ b/pci_v321/iam.sp @@ -1,6 +1,6 @@ locals { pci_v321_iam_common_tags = merge(local.pci_v321_common_tags, { - service = "iam" + service = "AWS/IAM" }) } @@ -17,7 +17,10 @@ benchmark "pci_v321_iam" { control.pci_v321_iam_7, control.pci_v321_iam_8, ] - tags = local.pci_v321_iam_common_tags + + tags = merge(local.pci_v321_iam_common_tags, { + type = "Benchmark" + }) } control "pci_v321_iam_1" { diff --git a/pci_v321/kms.sp b/pci_v321/kms.sp index 9f320902..a62ba893 100644 --- a/pci_v321/kms.sp +++ b/pci_v321/kms.sp @@ -1,6 +1,6 @@ locals { pci_v321_kms_common_tags = merge(local.pci_v321_common_tags, { - service = "kms" + service = "AWS/KMS" }) } @@ -10,7 +10,10 @@ benchmark "pci_v321_kms" { children = [ control.pci_v321_kms_1 ] - tags = local.pci_v321_kms_common_tags + + tags = merge(local.pci_v321_kms_common_tags, { + type = "Benchmark" + }) } control "pci_v321_kms_1" { diff --git a/pci_v321/lambda.sp b/pci_v321/lambda.sp index 22630396..4e4ed019 100644 --- a/pci_v321/lambda.sp +++ b/pci_v321/lambda.sp @@ -1,6 +1,6 @@ locals { pci_v321_lambda_common_tags = merge(local.pci_v321_common_tags, { - service = "lambda" + service = "AWS/Lambda" }) } @@ -11,7 +11,10 @@ benchmark "pci_v321_lambda" { control.pci_v321_lambda_1, control.pci_v321_lambda_2 ] - tags = local.pci_v321_lambda_common_tags + + tags = merge(local.pci_v321_lambda_common_tags, { + type = "Benchmark" + }) } control "pci_v321_lambda_1" { diff --git a/pci_v321/pci.sp b/pci_v321/pci.sp index d7bc62b5..67e73cdc 100644 --- a/pci_v321/pci.sp +++ b/pci_v321/pci.sp @@ -1,9 +1,8 @@ locals { - pci_v321_common_tags = { + pci_v321_common_tags = merge(local.aws_compliance_common_tags, { pci = "true" pci_version = "v3.2.1" - plugin = "aws" - } + }) } benchmark "pci_v321" { @@ -30,5 +29,8 @@ benchmark "pci_v321" { benchmark.pci_v321_sagemaker, benchmark.pci_v321_ssm ] - tags = local.pci_v321_common_tags + + tags = merge(local.pci_v321_common_tags, { + type = "Benchmark" + }) } diff --git a/pci_v321/rds.sp b/pci_v321/rds.sp index c1bf520f..76d3b8b0 100644 --- a/pci_v321/rds.sp +++ b/pci_v321/rds.sp @@ -1,6 +1,6 @@ locals { pci_v321_rds_common_tags = merge(local.pci_v321_common_tags, { - service = "rds" + service = "AWS/RDS" }) } @@ -11,7 +11,10 @@ benchmark "pci_v321_rds" { control.pci_v321_rds_1, control.pci_v321_rds_2, ] - tags = local.pci_v321_rds_common_tags + + tags = merge(local.pci_v321_rds_common_tags, { + type = "Benchmark" + }) } control "pci_v321_rds_1" { diff --git a/pci_v321/redshift.sp b/pci_v321/redshift.sp index ca5e6a60..9d083f63 100644 --- a/pci_v321/redshift.sp +++ b/pci_v321/redshift.sp @@ -1,6 +1,6 @@ locals { pci_v321_redshift_common_tags = merge(local.pci_v321_common_tags, { - service = "redshift" + service = "AWS/Redshift" }) } @@ -10,7 +10,10 @@ benchmark "pci_v321_redshift" { children = [ control.pci_v321_redshift_1 ] - tags = local.pci_v321_redshift_common_tags + + tags = merge(local.pci_v321_redshift_common_tags, { + type = "Benchmark" + }) } control "pci_v321_redshift_1" { diff --git a/pci_v321/s3.sp b/pci_v321/s3.sp index cf71f450..96eb0695 100644 --- a/pci_v321/s3.sp +++ b/pci_v321/s3.sp @@ -1,6 +1,6 @@ locals { pci_v321_s3_common_tags = merge(local.pci_v321_common_tags, { - service = "s3" + service = "AWS/S3" }) } @@ -15,7 +15,10 @@ benchmark "pci_v321_s3" { control.pci_v321_s3_5, control.pci_v321_s3_6, ] - tags = local.pci_v321_s3_common_tags + + tags = merge(local.pci_v321_s3_common_tags, { + type = "Benchmark" + }) } control "pci_v321_s3_1" { diff --git a/pci_v321/sagemaker.sp b/pci_v321/sagemaker.sp index a2f553c8..bbf44484 100644 --- a/pci_v321/sagemaker.sp +++ b/pci_v321/sagemaker.sp @@ -1,6 +1,6 @@ locals { pci_v321_sagemaker_common_tags = merge(local.pci_v321_common_tags, { - service = "sagemaker" + service = "AWS/SageMaker" }) } @@ -10,7 +10,10 @@ benchmark "pci_v321_sagemaker" { children = [ control.pci_v321_sagemaker_1, ] - tags = local.pci_v321_sagemaker_common_tags + + tags = merge(local.pci_v321_sagemaker_common_tags, { + type = "Benchmark" + }) } control "pci_v321_sagemaker_1" { diff --git a/pci_v321/ssm.sp b/pci_v321/ssm.sp index 71d291a7..bd7b02a6 100644 --- a/pci_v321/ssm.sp +++ b/pci_v321/ssm.sp @@ -1,6 +1,6 @@ locals { pci_v321_ssm_common_tags = merge(local.pci_v321_common_tags, { - service = "ssm" + service = "AWS/SSM" }) } @@ -12,7 +12,10 @@ benchmark "pci_v321_ssm" { control.pci_v321_ssm_2, control.pci_v321_ssm_3 ] - tags = local.pci_v321_ssm_common_tags + + tags = merge(local.pci_v321_ssm_common_tags, { + type = "Benchmark" + }) } control "pci_v321_ssm_1" { diff --git a/rbi_cyber_security/annex_i_1_1.sp b/rbi_cyber_security/annex_i_1_1.sp index 13781651..c63bb1fa 100644 --- a/rbi_cyber_security/annex_i_1_1.sp +++ b/rbi_cyber_security/annex_i_1_1.sp @@ -8,5 +8,6 @@ benchmark "rbi_cyber_security_annex_i_1_1" { tags = merge(local.rbi_cyber_security_common_tags, { rbi_cyber_security_item_id = "annex_i_1_1" + service = "AWS/EC2" }) } diff --git a/rbi_cyber_security/annex_i_7_1.sp b/rbi_cyber_security/annex_i_7_1.sp index e9b2587a..473c98f8 100644 --- a/rbi_cyber_security/annex_i_7_1.sp +++ b/rbi_cyber_security/annex_i_7_1.sp @@ -12,5 +12,6 @@ benchmark "rbi_cyber_security_annex_i_7_1" { tags = merge(local.rbi_cyber_security_common_tags, { rbi_cyber_security_item_id = "annex_i_7_1" + service = "AWS/IAM" }) } diff --git a/rbi_cyber_security/annex_i_7_2.sp b/rbi_cyber_security/annex_i_7_2.sp index c8fb22b4..c6eeb963 100644 --- a/rbi_cyber_security/annex_i_7_2.sp +++ b/rbi_cyber_security/annex_i_7_2.sp @@ -8,5 +8,6 @@ benchmark "rbi_cyber_security_annex_i_7_2" { tags = merge(local.rbi_cyber_security_common_tags, { rbi_cyber_security_item_id = "annex_i_7_2" + service = "AWS/IAM" }) } diff --git a/rbi_cyber_security/annex_i_7_3.sp b/rbi_cyber_security/annex_i_7_3.sp index 5b2ef918..fbe2f0c6 100644 --- a/rbi_cyber_security/annex_i_7_3.sp +++ b/rbi_cyber_security/annex_i_7_3.sp @@ -8,5 +8,6 @@ benchmark "rbi_cyber_security_annex_i_7_3" { tags = merge(local.rbi_cyber_security_common_tags, { rbi_cyber_security_item_id = "annex_i_7_3" + service = "AWS/VPC" }) } diff --git a/rbi_cyber_security/rbi_cyber_security.sp b/rbi_cyber_security/rbi_cyber_security.sp index c7a7a358..448c9480 100644 --- a/rbi_cyber_security/rbi_cyber_security.sp +++ b/rbi_cyber_security/rbi_cyber_security.sp @@ -1,8 +1,8 @@ locals { - rbi_cyber_security_common_tags = { + rbi_cyber_security_common_tags = merge(local.aws_compliance_common_tags, { rbi_cyber_security = "true" - plugin = "aws" - } + type = "Benchmark" + }) } benchmark "rbi_cyber_security" { diff --git a/soc2/cc_3.sp b/soc2/cc_3.sp index 17f28ccd..ef3422e6 100644 --- a/soc2/cc_3.sp +++ b/soc2/cc_3.sp @@ -75,6 +75,7 @@ benchmark "soc_2_cc_3_4" { ] tags = merge(local.soc_2_cc_3_common_tags, { + service = "AWS/Config" soc_2_item_id = "3.4" soc_2_type = "automated" }) diff --git a/soc2/cc_4.sp b/soc2/cc_4.sp index a6f0aaa5..d88b5672 100644 --- a/soc2/cc_4.sp +++ b/soc2/cc_4.sp @@ -40,6 +40,7 @@ benchmark "soc_2_cc_4_2" { ] tags = merge(local.soc_2_cc_4_common_tags, { + service = "AWS/GuardDuty" soc_2_item_id = "4.2" soc_2_type = "automated" }) diff --git a/soc2/cc_6.sp b/soc2/cc_6.sp index 7cc5a80c..004a4b9b 100644 --- a/soc2/cc_6.sp +++ b/soc2/cc_6.sp @@ -31,6 +31,7 @@ benchmark "soc_2_cc_6_1" { ] tags = merge(local.soc_2_cc_6_common_tags, { + service = "AWS/S3" soc_2_item_id = "6.1" soc_2_type = "automated" }) @@ -45,6 +46,7 @@ benchmark "soc_2_cc_6_2" { ] tags = merge(local.soc_2_cc_6_common_tags, { + service = "AWS/RDS" soc_2_item_id = "6.2" soc_2_type = "automated" }) @@ -59,6 +61,7 @@ benchmark "soc_2_cc_6_3" { ] tags = merge(local.soc_2_cc_6_common_tags, { + service = "AWS/IAM" soc_2_item_id = "6.3" soc_2_type = "automated" }) @@ -101,6 +104,7 @@ benchmark "soc_2_cc_6_6" { ] tags = merge(local.soc_2_cc_6_common_tags, { + service = "AWS/EC2" soc_2_item_id = "6.6" soc_2_type = "automated" }) @@ -115,6 +119,7 @@ benchmark "soc_2_cc_6_7" { ] tags = merge(local.soc_2_cc_6_common_tags, { + service = "AWS/ACM" soc_2_item_id = "6.7" soc_2_type = "automated" }) diff --git a/soc2/cc_c_1.sp b/soc2/cc_c_1.sp index 6ab90d22..e8d86d26 100644 --- a/soc2/cc_c_1.sp +++ b/soc2/cc_c_1.sp @@ -40,6 +40,7 @@ benchmark "soc_2_cc_c_1_2" { ] tags = merge(local.soc_2_cc_c_1_common_tags, { + service = "AWS/S3" soc_2_item_id = "c1.2" soc_2_type = "automated" }) diff --git a/soc2/soc_2.sp b/soc2/soc_2.sp index 8b77e85e..e1f1b7c9 100644 --- a/soc2/soc_2.sp +++ b/soc2/soc_2.sp @@ -1,8 +1,8 @@ locals { - soc_2_common_tags = { - soc_2 = "true" - plugin = "aws" - } + soc_2_common_tags = merge(local.aws_compliance_common_tags, { + soc_2 = "true" + type = "Benchmark" + }) } benchmark "soc_2" {