Merge pull request #471 from turbot/release/v0.41

Release/v0.41

CHANGELOG.md

@@ -1,3 +1,53 @@
+## v0.41 [2022-07-21]
+
+_What's new?_
+
+- Added the following new controls to the AWS Foundational Security Best Practices benchmark: ([#468](https://github.com/turbot/steampipe-mod-aws-compliance/pull/468))([#457](https://github.com/turbot/steampipe-mod-aws-compliance/pull/457))
+  - AutoScaling.3
+  - AutoScaling.4
+  - CloudFormation.1
+  - CloudFront.10
+  - EC2.23
+  - EC2.24
+  - EC2.27
+  - ECR.1
+  - ECR.2
+  - ECS.3
+  - ECS.4
+  - ECS.5
+  - ECS.8
+  - ECS.10
+  - ECS.12
+  - EFS.3
+  - EFS.4
+  - EKS.2
+  - ELB.12
+  - ELB.13
+  - ELB.14
+  - Kinesis.1
+  - NetworkFirewall.3
+  - NetworkFirewall.4
+  - NetworkFirewall.5
+  - OpenSearch.7
+  - Redshift.9
+  - S3.13
+  - SNS.2
+  - WAF.6
+  - WAF.7
+  - WAF.8
+
+_Enhancements_
+
+- Updated the `kms_cmk_rotation_enabled` query to skip KMS keys which are either in `PendingDeletion` or `Disabled` state since we cannot set rotation for such keys. ([#466](https://github.com/turbot/steampipe-mod-aws-compliance/pull/466)) (Thanks to [@yorinasub17](https://github.com/yorinasub17) for the contribution!)
+
+_Breaking changes_
+
+- Renamed the control and the query `dynamodb_table_encrypted_with_kms_cmk` to `dynamodb_table_encrypted_with_kms` to maintain consistency with AWS documentation. ([#467](https://github.com/turbot/steampipe-mod-aws-compliance/pull/467)) (Thanks to [@pdecat](https://github.com/pdecat) for the contribution!)
+
+_Dependencies_
+
+- AWS plugin `v0.71.0` or higher is now required. ([#470](https://github.com/turbot/steampipe-mod-aws-compliance/pull/470))
+
 ## v0.40 [2022-07-15]
 
 _What's new?_

cisa_cyber_essentials/your_data.sp

@@ -19,7 +19,7 @@ benchmark "cisa_cyber_essentials_your_data_1" {
     control.apigateway_stage_cache_encryption_at_rest_enabled,
     control.backup_recovery_point_encryption_enabled,
     control.cloudtrail_trail_logs_encrypted_with_kms_cmk,
-    control.dynamodb_table_encrypted_with_kms_cmk,
+    control.dynamodb_table_encrypted_with_kms,
     control.ebs_attached_volume_encryption_enabled,
     control.ec2_ebs_default_encryption_enabled,
     control.efs_file_system_encrypted_with_cmk,
@@ -55,7 +55,7 @@ benchmark "cisa_cyber_essentials_your_data_2" {
     control.cloudtrail_trail_integrated_with_logs,
     control.cloudtrail_trail_logs_encrypted_with_kms_cmk,
     control.dms_replication_instance_not_publicly_accessible,
-    control.dynamodb_table_encrypted_with_kms_cmk,
+    control.dynamodb_table_encrypted_with_kms,
     control.ebs_attached_volume_encryption_enabled,
     control.ebs_snapshot_not_publicly_restorable,
     control.ec2_ebs_default_encryption_enabled,

cisa_cyber_essentials/your_systems.sp

@@ -58,7 +58,7 @@ benchmark "cisa_cyber_essentials_your_systems_3" {
     control.codebuild_project_source_repo_oauth_configured,
     control.dms_replication_instance_not_publicly_accessible,
     control.dynamodb_table_auto_scaling_enabled,
-    control.dynamodb_table_encrypted_with_kms_cmk,
+    control.dynamodb_table_encrypted_with_kms,
     control.dynamodb_table_in_backup_plan,
     control.dynamodb_table_point_in_time_recovery_enabled,
     control.dynamodb_table_protected_by_backup_plan,

conformance_pack/dynamodb.sp

@@ -44,10 +44,10 @@ control "dynamodb_table_point_in_time_recovery_enabled" {
   })
 }
 
-control "dynamodb_table_encrypted_with_kms_cmk" {
+control "dynamodb_table_encrypted_with_kms" {
   title       = "DynamoDB table should be encrypted with AWS KMS"
   description = "Ensure that encryption is enabled for your Amazon DynamoDB tables. Because sensitive data can exist at rest in these tables, enable encryption at rest to help protect that data."
-  sql         = query.dynamodb_table_encrypted_with_kms_cmk.sql
+  sql         = query.dynamodb_table_encrypted_with_kms.sql
 
   tags = merge(local.conformance_pack_dynamodb_common_tags, {
     cisa_cyber_essentials = "true"

foundational_security/autoscaling.sp

@@ -10,6 +10,8 @@ benchmark "foundational_security_autoscaling" {
   children = [
     control.foundational_security_autoscaling_1,
     control.foundational_security_autoscaling_2,
+    control.foundational_security_autoscaling_3,
+    control.foundational_security_autoscaling_4,
     control.foundational_security_autoscaling_5
   ]
 
@@ -44,6 +46,32 @@ control "foundational_security_autoscaling_2" {
   })
 }
 
+control "foundational_security_autoscaling_3" {
+  title         = "3 Auto Scaling group should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)"
+  description   = "This control checks whether IMDSv2 is enabled on all instances launched by Amazon EC2 Auto Scaling groups. The control fails if the Instance Metadata Service (IMDS) version is not included in the launch configuration or if both IMDSv1 and IMDSv2 are enabled."
+  severity      = "high"
+  sql           = query.autoscaling_launch_config_requires_imdsv2.sql
+  documentation = file("./foundational_security/docs/foundational_security_autoscaling_3.md")
+
+  tags = merge(local.foundational_security_autoscaling_common_tags, {
+    foundational_security_item_id  = "autoscaling_3"
+    foundational_security_category = "secure_network_configuration"
+  })
+}
+
+control "foundational_security_autoscaling_4" {
+  title         = "4 Auto Scaling group launch configuration should not have metadata response hop limit greater than 1"
+  description   = "This control checks the number of network hops that a metadata token can travel. The control fails if the metadata response hop limit is greater than 1."
+  severity      = "high"
+  sql           = query.autoscaling_launch_config_hop_limit.sql
+  documentation = file("./foundational_security/docs/foundational_security_autoscaling_4.md")
+
+  tags = merge(local.foundational_security_autoscaling_common_tags, {
+    foundational_security_item_id  = "autoscaling_4"
+    foundational_security_category = "secure_network_configuration"
+  })
+}
+
 control "foundational_security_autoscaling_5" {
   title         = "5 Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses"
   description   = "This control checks whether an Auto Scaling groups associated launch configuration assigns a public IP address to the group’s instances."

foundational_security/cloudformation.sp

@@ -0,0 +1,30 @@
+locals {
+  foundational_security_cloudformation_common_tags = merge(local.foundational_security_common_tags, {
+    service = "AWS/CloudFormation"
+  })
+}
+
+benchmark "foundational_security_cloudformation" {
+  title         = "CloudFormation"
+  documentation = file("./foundational_security/docs/foundational_security_cloudformation.md")
+  children = [
+    control.foundational_security_cloudformation_1
+  ]
+
+  tags = merge(local.foundational_security_cloudformation_common_tags, {
+    type = "Benchmark"
+  })
+}
+
+control "foundational_security_cloudformation_1" {
+  title         = "1 CloudFormation stacks should be integrated with Simple Notification Service (SNS)"
+  description   = "This control checks whether an Amazon Simple Notification Service notification is integrated with a CloudFormation stack. The control fails for a CloudFormation stack if there is no SNS notification associated with it."
+  severity      = "low"
+  sql           = query.cloudformation_stack_notifications_enabled.sql
+  documentation = file("./foundational_security/docs/foundational_security_cloudformation_1.md")
+
+  tags = merge(local.foundational_security_cloudformation_common_tags, {
+    foundational_security_item_id  = "cloudformation_1"
+    foundational_security_category = "application_monitoring"
+  })
+}

foundational_security/cloudfront.sp

@@ -16,7 +16,8 @@ benchmark "foundational_security_cloudfront" {
     control.foundational_security_cloudfront_6,
     control.foundational_security_cloudfront_7,
     control.foundational_security_cloudfront_8,
-    control.foundational_security_cloudfront_9
+    control.foundational_security_cloudfront_9,
+    control.foundational_security_cloudfront_10
   ]
 
   tags = merge(local.foundational_security_cloudfront_common_tags, {
@@ -140,3 +141,16 @@ control "foundational_security_cloudfront_9" {
     foundational_security_category = "encryption_of_data_in_transit"
   })
 }
+
+control "foundational_security_cloudfront_10" {
+  title         = "10 CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins"
+  description   = "This control checks if Amazon CloudFront distributions are using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and your custom origins. This control fails if a CloudFront distribution has a CustomOriginConfig where OriginSslProtocols includes SSLv3."
+  severity      = "medium"
+  sql           = query.cloudfront_distribution_no_deprecated_ssl_protocol.sql
+  documentation = file("./foundational_security/docs/foundational_security_cloudfront_10.md")
+
+  tags = merge(local.foundational_security_cloudfront_common_tags, {
+    foundational_security_item_id  = "cloudfront_10"
+    foundational_security_category = "encryption_of_data_in_transit"
+  })
+}

foundational_security/docs/foundational_security_autoscaling_3.md

@@ -0,0 +1,11 @@
+## Description
+
+This control checks whether IMDSv2 is enabled on all instances launched by Amazon EC2 Auto Scaling groups. The control fails if the Instance Metadata Service (IMDS) version is not included in the launch configuration or if both IMDSv1 and IMDSv2 are enabled.
+
+IMDS provides data about your instance that you can use to configure or manage the running instance.
+
+Version 2 of the IMDS adds new protections that weren't available in IMDSv1 to further safeguard your EC2 instances.
+
+## Remediation
+
+An Auto Scaling group is associated with one launch configuration at a time. You cannot modify a launch configuration after you create it. To change the launch configuration for an Auto Scaling group, use an existing launch configuration as the basis for a new launch configuration with IMDSv2 enabled. For more information, see [Configure instance metadata options for new instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-options.html#configuring-IMDS-new-instances) in the Amazon EC2 User Guide for Linux Instances.

foundational_security/docs/foundational_security_autoscaling_4.md

@@ -0,0 +1,11 @@
+## Description
+
+This control checks the number of network hops that a metadata token can travel. The control fails if the metadata response hop limit is greater than 1.
+
+The Instance Metadata Service (IMDS) provides metadata information about an Amazon EC2 instance and is useful for application configuration. Restricting the HTTP PUT response for the metadata service to only the EC2 instance protects the IMDS from unauthorized use.
+
+The Time To Live (TTL) field in the IP packet is reduced by one on every hop. This reduction can be used to ensure that the packet does not travel outside EC2. IMDSv2 protects EC2 instances that may have been misconfigured as open routers, layer 3 firewalls, VPNs, tunnels, or NAT devices, which prevents unauthorized users from retrieving metadata. With IMDSv2, the PUT response that contains the secret token cannot travel outside the instance because the default metadata response hop limit is set to 1. However, if this value is greater than 1, the token can leave the EC2 instance.
+
+## Remediation
+
+For detailed instructions on how to modify the metadata response hop limit for an existing launch configuration, see [Modify instance metadata options for existing instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-options.html#configuring-IMDS-existing-instances) in the Amazon EC2 User Guide for Linux Instances.

foundational_security/docs/foundational_security_cloudformation.md

@@ -0,0 +1,3 @@
+## Overview
+
+This section contains recommendations for configuring CloudFormation resources and options.

foundational_security/docs/foundational_security_cloudformation_1.md

@@ -0,0 +1,9 @@
+## Description
+
+This control checks whether an Amazon Simple Notification Service notification is integrated with a CloudFormation stack. The control fails for a CloudFormation stack if there is no SNS notification associated with it.
+
+Configuring an SNS notification with your CloudFormation stack helps immediately notify stakeholders of any events or changes occurring with the stack.
+
+## Remediation
+
+For information about how to update a CloudFormation stack, see [AWS CloudFormation stack updates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks.html) in the AWS CloudFormation User Guide.

foundational_security/docs/foundational_security_cloudfront_10.md

@@ -0,0 +1,9 @@
+## Description
+
+This control checks if Amazon CloudFront distributions are using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and your custom origins. This control fails if a CloudFront distribution has a CustomOriginConfig where OriginSslProtocols includes SSLv3.
+
+In 2015, the Internet Engineering Task Force (IETF) officially announced that SSL 3.0 should be deprecated due to the protocol being insufficiently secure. It is recommended that you use TLSv1.2 or later for HTTPS communication to your custom origins.
+
+## Remediation
+
+To update the Origin SSL Protocols for your CloudFront distributions, see [Requiring HTTPS for communication between CloudFront and your custom origin](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html) in the Amazon CloudFront Developer Guide.

foundational_security/docs/foundational_security_ec2_23.md

@@ -0,0 +1,9 @@
+## Description
+
+This control checks if EC2 Transit Gateways are automatically accepting shared VPC attachments. This control fails for a Transit Gateway that automatically accepts shared VPC attachment requests.
+
+Turning on AutoAcceptSharedAttachments configures a Transit Gateway to automatically accept any cross-account VPC attachment requests without verifying the request or the account the attachment is originating from. To follow the best practices of authorization and authentication, we recommended turning off this feature to ensure that only authorized VPC attachment requests are accepted.
+
+## Remediation
+
+For information about how to modify a Transit Gateway, see [Modify a transit gateway](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-transit-gateways.html#tgw-modifying) in the Amazon VPC Developer Guide.

foundational_security/docs/foundational_security_ec2_24.md

@@ -0,0 +1,11 @@
+## Description
+
+This control checks whether the virtualization type of an EC2 instance is paravirtual. The control fails if the virtualizationType of the EC2 instance is set to paravirtual.
+
+Linux Amazon Machine Images (AMIs) use one of two types of virtualization: paravirtual (PV) or hardware virtual machine (HVM). The main differences between PV and HVM AMIs are the way in which they boot and whether they can take advantage of special hardware extensions (CPU, network, and storage) for better performance.
+
+Historically, PV guests had better performance than HVM guests in many cases, but because of enhancements in HVM virtualization and the availability of PV drivers for HVM AMIs, this is no longer true. For more information, see Linux AMI virtualization types in the Amazon EC2 User Guide for Linux Instances.
+
+## Remediation
+
+For information about how to update an EC2 instance to a new instance type, see [Change the instance type](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-resize.html) in the Amazon EC2 User Guide for Linux Instances.

foundational_security/docs/foundational_security_ec2_27.md

@@ -0,0 +1,9 @@
+## Description
+
+This control checks whether running EC2 instances are using key pairs. The control fails if a running EC2 instance uses a key pair.
+
+As best practice, we recommend that you reduce the number of credentials in use whenever possible to minimize the risk of compromised credentials and unintended access. EC2 instances without key pairs can still be accessed using AWS Systems Manager Session Manager or browser-based SSH connection via the AWS console. You can also access EC2 instances with a password, but we do not recommend this because it involves credentials similar to key pairs.
+
+## Remediation
+
+To delete a key pair, see [Delete your public key on Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/delete-key-pair.html) in the Amazon EC2 User Guide for Linux Instances.

foundational_security/docs/foundational_security_ecr_1.md

@@ -0,0 +1,9 @@
+## Description
+
+This control checks whether a private ECR repository has image scanning configured. This control fails if a private ECR repository doesn't have image scanning configured.
+
+ECR image scanning helps in identifying software vulnerabilities in your container images. ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project  and provides a list of scan findings. Enabling image scanning on ECR repositories adds a layer of verification for the integrity and safety of the images being stored.
+
+## Remediation
+
+To configure image scanning for an ECR repository, see [Image scanning](https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html) in the Amazon Elastic Container Registry User Guide.

foundational_security/docs/foundational_security_ecr_2.md

@@ -0,0 +1,9 @@
+## Description
+
+This control checks whether a private ECR repository has tag immutability enabled. This control fails if a private ECR repository has tag immutability disabled. This rule passes if tag immutability is enabled and has the value IMMUTABLE.
+
+Amazon ECR Tag Immutability enables customers to rely on the descriptive tags of an image as a reliable mechanism to track and uniquely identify images. An immutable tag is static, which means each tag refers to a unique image. This improves reliability and scalability as the use of a static tag will always result in the same image being deployed. When configured, tag immutability prevents the tags from being overridden, which reduces the attack surface.
+
+## Remediation
+
+To configure image scanning for an ECR repository, see [Image scanning](https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html) in the Amazon Elastic Container Registry User Guide.

foundational_security/docs/foundational_security_ecs_10.md

@@ -0,0 +1,9 @@
+## Description
+
+This control checks if Amazon ECS Fargate services are running the latest Fargate platform version. This control fails if the platform version is not the latest.
+
+AWS Fargate platform versions refer to a specific runtime environment for Fargate task infrastructure, which is a combination of kernel and container runtime versions. New platform versions are released as the runtime environment evolves. For example, a new version may be released for kernel or operating system updates, new features, bug fixes, or security updates. Security updates and patches are deployed automatically for your Fargate tasks. If a security issue is found that affects a platform version, AWS patches the platform version.
+
+## Remediation
+
+To update an existing service, including its platform version, see [Updating a service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/update-service.html) in the Amazon Elastic Container Service Developer Guide.

foundational_security/docs/foundational_security_ecs_12.md

@@ -0,0 +1,9 @@
+## Description
+
+This control checks if ECS clusters use Container Insights. This control fails if Container Insights are not set up for a cluster.
+
+Monitoring is an important part of maintaining the reliability, availability, and performance of Amazon ECS clusters. Use CloudWatch Container Insights to collect, aggregate, and summarize metrics and logs from your containerized applications and microservices. CloudWatch automatically collects metrics for many resources, such as CPU, memory, disk, and network. Container Insights also provides diagnostic information, such as container restart failures, to help you isolate issues and resolve them quickly. You can also set CloudWatch alarms on metrics that Container Insights collects.
+
+## Remediation
+
+To use Container Insights, see [Updating a service](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/deploy-container-insights-ECS.html) in the Amazon CloudWatch User Guide.