From d2f403f9a78a858cd9c055c01b87ed0dd8bee282 Mon Sep 17 00:00:00 2001 From: Khushboo <46913995+khushboo9024@users.noreply.github.com> Date: Sat, 24 Sep 2022 06:32:08 +0530 Subject: [PATCH] Add queries for automated checks for controls `cis_v130_1_2`, cis_v140_1_2`, `cis_v140_2_1_4`, `cis_v150_1_2`, `cis_v150_2_1_4` (#502) Co-authored-by: Cody Bruno --- cis_v130/section_1.sp | 2 +- cis_v140/section_1.sp | 2 +- cis_v140/section_2.sp | 2 +- cis_v150/cis.sp | 1 - cis_v150/section_1.sp | 2 +- cis_v150/section_2.sp | 2 +- ..._alternate_contact_security_registered.sql | 28 +++++++++++++++++++ ...domain_node_to_node_encryption_enabled.sql | 6 ++-- query/s3/s3_bucket_protected_by_macie.sql | 27 ++++++++++++++++++ 9 files changed, 63 insertions(+), 9 deletions(-) create mode 100644 query/account/account_alternate_contact_security_registered.sql create mode 100644 query/s3/s3_bucket_protected_by_macie.sql diff --git a/cis_v130/section_1.sp b/cis_v130/section_1.sp index b6cd0b1c..3811b41a 100644 --- a/cis_v130/section_1.sp +++ b/cis_v130/section_1.sp @@ -54,7 +54,7 @@ control "cis_v130_1_1" { control "cis_v130_1_2" { title = "1.2 Ensure security contact information is registered" description = "AWS provides customers with the option of specifying the contact information for accounts security team. It is recommended that this information be provided." - sql = query.manual_control.sql + sql = query.account_alternate_contact_security_registered.sql documentation = file("./cis_v130/docs/cis_v130_1_2.md") tags = merge(local.cis_v130_1_common_tags, { diff --git a/cis_v140/section_1.sp b/cis_v140/section_1.sp index c476e40f..9709d823 100644 --- a/cis_v140/section_1.sp +++ b/cis_v140/section_1.sp @@ -53,7 +53,7 @@ control "cis_v140_1_1" { control "cis_v140_1_2" { title = "1.2 Ensure security contact information is registered" description = "AWS provides customers with the option of specifying the contact information for account's security team. It is recommended that this information be provided." - sql = query.manual_control.sql + sql = query.account_alternate_contact_security_registered.sql documentation = file("./cis_v140/docs/cis_v140_1_2.md") tags = merge(local.cis_v140_1_common_tags, { diff --git a/cis_v140/section_2.sp b/cis_v140/section_2.sp index b6610e9b..4b9343be 100644 --- a/cis_v140/section_2.sp +++ b/cis_v140/section_2.sp @@ -93,7 +93,7 @@ control "cis_v140_2_1_4" { title = "2.1.4 Ensure all data in Amazon S3 has been discovered, classified and secured when required" description = "Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets." documentation = file("./cis_v140/docs/cis_v140_2_1_4.md") - sql = query.manual_control.sql + sql = query.s3_bucket_protected_by_macie.sql tags = merge(local.cis_v140_2_1_common_tags, { cis_item_id = "2.1.4" diff --git a/cis_v150/cis.sp b/cis_v150/cis.sp index cdd0c8ac..ade2b2e2 100644 --- a/cis_v150/cis.sp +++ b/cis_v150/cis.sp @@ -5,7 +5,6 @@ locals { }) } - benchmark "cis_v150" { title = "CIS v1.5.0" description = "The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings." diff --git a/cis_v150/section_1.sp b/cis_v150/section_1.sp index c5ebabbe..fa6613fc 100644 --- a/cis_v150/section_1.sp +++ b/cis_v150/section_1.sp @@ -53,7 +53,7 @@ control "cis_v150_1_1" { control "cis_v150_1_2" { title = "1.2 Ensure security contact information is registered" description = "AWS provides customers with the option of specifying the contact information for account's security team. It is recommended that this information be provided." - sql = query.manual_control.sql + sql = query.account_alternate_contact_security_registered.sql documentation = file("./cis_v150/docs/cis_v150_1_2.md") tags = merge(local.cis_v150_1_common_tags, { diff --git a/cis_v150/section_2.sp b/cis_v150/section_2.sp index 84b39349..ce5bf1d8 100644 --- a/cis_v150/section_2.sp +++ b/cis_v150/section_2.sp @@ -97,7 +97,7 @@ control "cis_v150_2_1_4" { title = "2.1.4 Ensure all data in Amazon S3 has been discovered, classified and secured when required" description = "Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets." documentation = file("./cis_v150/docs/cis_v150_2_1_4.md") - sql = query.manual_control.sql + sql = query.s3_bucket_protected_by_macie.sql tags = merge(local.cis_v150_2_1_common_tags, { cis_item_id = "2.1.4" diff --git a/query/account/account_alternate_contact_security_registered.sql b/query/account/account_alternate_contact_security_registered.sql new file mode 100644 index 00000000..dfa96094 --- /dev/null +++ b/query/account/account_alternate_contact_security_registered.sql @@ -0,0 +1,28 @@ +with alternate_security_contact as ( + select + name, + account_id + from + aws_account_alternate_contact + where + contact_type = 'SECURITY' +) +select + -- Required Columns + arn as resource, + case + when a.partition = 'aws-us-gov' then 'info' + -- Name is a required field if setting a security contact + when c.name is not null then 'ok' + else 'alarm' + end as status, + case + when a.partition = 'aws-us-gov' then a.title || ' in GovCloud, manual verification required.' + when c.name is not null then a.title || ' has security contact ' || c.name || ' registered.' + else a.title || ' security contact not registered.' + end as reason, + -- Additional Dimensions + a.account_id +from + aws_account as a + left join alternate_security_contact as c on c.account_id = a.account_id; diff --git a/query/es/es_domain_node_to_node_encryption_enabled.sql b/query/es/es_domain_node_to_node_encryption_enabled.sql index 300dafc2..b9fbe73c 100644 --- a/query/es/es_domain_node_to_node_encryption_enabled.sql +++ b/query/es/es_domain_node_to_node_encryption_enabled.sql @@ -2,10 +2,12 @@ select -- Required Columns arn as resource, case + when region = any(array['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1']) then 'skip' when not enabled then 'alarm' else 'ok' end as status, case + when region = any(array['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1']) then title || ' node-to-node encryption not supported in ' || region || '.' when not enabled then title || ' node-to-node encryption disabled.' else title || ' node-to-node encryption enabled.' end as reason, @@ -13,6 +15,4 @@ select region, account_id from - aws_elasticsearch_domain -where - region != any (ARRAY ['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1']); \ No newline at end of file + aws_elasticsearch_domain; diff --git a/query/s3/s3_bucket_protected_by_macie.sql b/query/s3/s3_bucket_protected_by_macie.sql new file mode 100644 index 00000000..e8128dd9 --- /dev/null +++ b/query/s3/s3_bucket_protected_by_macie.sql @@ -0,0 +1,27 @@ +with bucket_list as ( + select + trim(b::text, '"' ) as bucket_name + from + aws_macie2_classification_job, + jsonb_array_elements(s3_job_definition -> 'BucketDefinitions') as d, + jsonb_array_elements(d -> 'Buckets') as b +) +select + -- Required Columns + b.arn as resource, + case + when b.region = any(array['us-gov-east-1', 'us-gov-west-1']) then 'skip' + when l.bucket_name is not null then 'ok' + else 'alarm' + end status, + case + when b.region = any(array['us-gov-east-1', 'us-gov-west-1']) then b.title || ' not protected by Macie as Macie is not supported in ' || b.region || '.' + when l.bucket_name is not null then b.title || ' protected by Macie.' + else b.title || ' not protected by Macie.' + end reason, + -- Additional Dimensions + b.region, + b.account_id +from + aws_s3_bucket as b + left join bucket_list as l on b.name = l.bucket_name;