Add queries for automated checks for controls cis_v130_1_2, cis_v14…

…0_1_2`, `cis_v140_2_1_4`, `cis_v150_1_2`, `cis_v150_2_1_4` (#502) Co-authored-by: Cody Bruno <cody@turbot.com>
turbot · Sep 24, 2022 · d2f403f · d2f403f
1 parent 8f7524e
commit d2f403f
Show file tree

Hide file tree

Showing 9 changed files with 63 additions and 9 deletions.
diff --git a/cis_v130/section_1.sp b/cis_v130/section_1.sp
@@ -54,7 +54,7 @@ control "cis_v130_1_1" {
 control "cis_v130_1_2" {
   title         = "1.2 Ensure security contact information is registered"
   description   = "AWS provides customers with the option of specifying the contact information for accounts security team. It is recommended that this information be provided."
-  sql           = query.manual_control.sql
+  sql           = query.account_alternate_contact_security_registered.sql
   documentation = file("./cis_v130/docs/cis_v130_1_2.md")
 
   tags = merge(local.cis_v130_1_common_tags, {

diff --git a/cis_v140/section_1.sp b/cis_v140/section_1.sp
@@ -53,7 +53,7 @@ control "cis_v140_1_1" {
 control "cis_v140_1_2" {
   title         = "1.2 Ensure security contact information is registered"
   description   = "AWS provides customers with the option of specifying the contact information for account's security team. It is recommended that this information be provided."
-  sql           = query.manual_control.sql
+  sql           = query.account_alternate_contact_security_registered.sql
   documentation = file("./cis_v140/docs/cis_v140_1_2.md")
 
   tags = merge(local.cis_v140_1_common_tags, {

diff --git a/cis_v140/section_2.sp b/cis_v140/section_2.sp
@@ -93,7 +93,7 @@ control "cis_v140_2_1_4" {
   title         = "2.1.4 Ensure all data in Amazon S3 has been discovered, classified and secured when required"
   description   = "Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets."
   documentation = file("./cis_v140/docs/cis_v140_2_1_4.md")
-  sql           = query.manual_control.sql
+  sql           = query.s3_bucket_protected_by_macie.sql
 
   tags = merge(local.cis_v140_2_1_common_tags, {
     cis_item_id = "2.1.4"

diff --git a/cis_v150/cis.sp b/cis_v150/cis.sp
@@ -5,7 +5,6 @@ locals {
   })
 }
 
-
 benchmark "cis_v150" {
   title         = "CIS v1.5.0"
   description   = "The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings."

diff --git a/cis_v150/section_1.sp b/cis_v150/section_1.sp
@@ -53,7 +53,7 @@ control "cis_v150_1_1" {
 control "cis_v150_1_2" {
   title         = "1.2 Ensure security contact information is registered"
   description   = "AWS provides customers with the option of specifying the contact information for account's security team. It is recommended that this information be provided."
-  sql           = query.manual_control.sql
+  sql           = query.account_alternate_contact_security_registered.sql
   documentation = file("./cis_v150/docs/cis_v150_1_2.md")
 
   tags = merge(local.cis_v150_1_common_tags, {

diff --git a/cis_v150/section_2.sp b/cis_v150/section_2.sp
@@ -97,7 +97,7 @@ control "cis_v150_2_1_4" {
   title         = "2.1.4 Ensure all data in Amazon S3 has been discovered, classified and secured when required"
   description   = "Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets."
   documentation = file("./cis_v150/docs/cis_v150_2_1_4.md")
-  sql           = query.manual_control.sql
+  sql           = query.s3_bucket_protected_by_macie.sql
 
   tags = merge(local.cis_v150_2_1_common_tags, {
     cis_item_id = "2.1.4"

diff --git a/query/account/account_alternate_contact_security_registered.sql b/query/account/account_alternate_contact_security_registered.sql
@@ -0,0 +1,28 @@
+with alternate_security_contact as (
+  select
+    name,
+    account_id
+  from
+    aws_account_alternate_contact
+  where
+    contact_type = 'SECURITY'
+)
+select
+  -- Required Columns
+  arn as resource,
+  case
+    when a.partition = 'aws-us-gov' then 'info'
+    -- Name is a required field if setting a security contact
+    when c.name is not null then 'ok'
+    else 'alarm'
+  end as status,
+  case
+    when a.partition = 'aws-us-gov' then a.title || ' in GovCloud, manual verification required.'
+    when c.name is not null then a.title || ' has security contact ' || c.name || ' registered.'
+    else a.title || ' security contact not registered.'
+  end as reason,
+  -- Additional Dimensions
+  a.account_id
+from
+  aws_account as a
+  left join alternate_security_contact as c on c.account_id = a.account_id;
diff --git a/query/es/es_domain_node_to_node_encryption_enabled.sql b/query/es/es_domain_node_to_node_encryption_enabled.sql
@@ -2,17 +2,17 @@ select
   -- Required Columns
   arn as resource,
   case
+    when region = any(array['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1']) then 'skip'
     when not enabled then 'alarm'
     else 'ok'
   end as status,
   case
+    when region = any(array['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1']) then title || ' node-to-node encryption not supported in ' || region || '.'
     when not enabled then title || ' node-to-node encryption disabled.'
     else title || ' node-to-node encryption enabled.'
   end as reason,
   -- Additional Dimensions
   region,
   account_id
 from
-  aws_elasticsearch_domain
-where
-  region != any (ARRAY ['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1']);
+  aws_elasticsearch_domain;
diff --git a/query/s3/s3_bucket_protected_by_macie.sql b/query/s3/s3_bucket_protected_by_macie.sql
@@ -0,0 +1,27 @@
+with bucket_list as (
+  select
+    trim(b::text, '"' ) as bucket_name
+  from
+    aws_macie2_classification_job,
+    jsonb_array_elements(s3_job_definition -> 'BucketDefinitions') as d,
+    jsonb_array_elements(d -> 'Buckets') as b
+)
+select
+  -- Required Columns
+  b.arn as resource,
+  case
+    when b.region = any(array['us-gov-east-1', 'us-gov-west-1']) then 'skip'
+    when l.bucket_name is not null then 'ok'
+    else 'alarm'
+  end status,
+  case
+    when b.region = any(array['us-gov-east-1', 'us-gov-west-1']) then b.title || ' not protected by Macie as Macie is not supported in ' || b.region || '.'
+    when l.bucket_name is not null then b.title || ' protected by Macie.'
+    else b.title || ' not protected by Macie.'
+  end reason,
+  -- Additional Dimensions
+  b.region,
+  b.account_id
+from
+  aws_s3_bucket as b
+  left join bucket_list as l on b.name = l.bucket_name;