-
Notifications
You must be signed in to change notification settings - Fork 61
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #580 from turbot/release/v0.57
Release/v0.57
- Loading branch information
Showing
90 changed files
with
1,853 additions
and
68 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
locals { | ||
cis_controls_v8_ig1_common_tags = merge(local.aws_compliance_common_tags, { | ||
cis_controls_v8_ig1 = "true" | ||
type = "Benchmark" | ||
}) | ||
} | ||
|
||
benchmark "cis_controls_v8_ig1" { | ||
title = "CIS Controls v8 IG1" | ||
description = "The CIS Critical Security Controls (CIS Controls) are a prioritized set of Safeguards to mitigate the most prevalent cyber-attacks against systems and networks. They are mapped to and referenced by multiple legal, regulatory, and policy frameworks." | ||
documentation = file("./cis_controls_v8_ig1/docs/cis_overview.md") | ||
children = [ | ||
benchmark.cis_controls_v8_ig1_1, | ||
benchmark.cis_controls_v8_ig1_3, | ||
benchmark.cis_controls_v8_ig1_4, | ||
benchmark.cis_controls_v8_ig1_5, | ||
benchmark.cis_controls_v8_ig1_6, | ||
benchmark.cis_controls_v8_ig1_7, | ||
benchmark.cis_controls_v8_ig1_8, | ||
benchmark.cis_controls_v8_ig1_10, | ||
benchmark.cis_controls_v8_ig1_11, | ||
benchmark.cis_controls_v8_ig1_12, | ||
benchmark.cis_controls_v8_ig1_13, | ||
benchmark.cis_controls_v8_ig1_16 | ||
] | ||
|
||
tags = merge(local.cis_controls_v8_ig1_common_tags, { | ||
type = "Benchmark" | ||
}) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
benchmark "cis_controls_v8_ig1_1" { | ||
title = "1 Inventory and Control of Enterprise Assets" | ||
description = "Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate." | ||
children = [ | ||
benchmark.cis_controls_v8_ig1_1_1, | ||
benchmark.cis_controls_v8_ig1_1_2 | ||
] | ||
|
||
tags = local.cis_controls_v8_ig1_common_tags | ||
} | ||
|
||
benchmark "cis_controls_v8_ig1_1_1" { | ||
title = "1.1 - Establish and Maintain Detailed Enterprise Asset Inventory" | ||
description = "Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently." | ||
children = [ | ||
control.ec2_stopped_instance_30_days, | ||
control.ssm_managed_instance_compliance_association_compliant, | ||
control.vpc_eip_associated, | ||
control.vpc_network_acl_unused, | ||
control.vpc_security_group_associated_to_eni | ||
] | ||
|
||
tags = local.cis_controls_v8_ig1_common_tags | ||
} | ||
|
||
benchmark "cis_controls_v8_ig1_1_2" { | ||
title = "1.2 - Address Unauthorized Assets" | ||
description = "Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset." | ||
children = [ | ||
control.guardduty_enabled | ||
] | ||
|
||
tags = local.cis_controls_v8_ig1_common_tags | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
benchmark "cis_controls_v8_ig1_10" { | ||
title = "10 Malware Defenses" | ||
description = "Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets." | ||
children = [ | ||
benchmark.cis_controls_v8_ig1_10_1, | ||
benchmark.cis_controls_v8_ig1_10_2 | ||
] | ||
|
||
tags = local.cis_controls_v8_ig1_common_tags | ||
} | ||
|
||
benchmark "cis_controls_v8_ig1_10_1" { | ||
title = "10.1 - Deploy and Maintain Anti-Malware Software" | ||
description = "Deploy and maintain anti-malware software on all enterprise assets." | ||
children = [ | ||
control.guardduty_enabled | ||
] | ||
|
||
tags = local.cis_controls_v8_ig1_common_tags | ||
} | ||
|
||
benchmark "cis_controls_v8_ig1_10_2" { | ||
title = "10.2 - Configure Automatic Anti-Malware Signature Updates" | ||
description = "Configure automatic updates for anti-malware signature files on all enterprise assets." | ||
children = [ | ||
control.guardduty_enabled | ||
] | ||
|
||
tags = local.cis_controls_v8_ig1_common_tags | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
benchmark "cis_controls_v8_ig1_11" { | ||
title = "11 Data Recovery" | ||
description = "Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state." | ||
children = [ | ||
benchmark.cis_controls_v8_ig1_11_2, | ||
benchmark.cis_controls_v8_ig1_11_3, | ||
benchmark.cis_controls_v8_ig1_11_4 | ||
] | ||
|
||
tags = local.cis_controls_v8_ig1_common_tags | ||
} | ||
|
||
benchmark "cis_controls_v8_ig1_11_2" { | ||
title = "11.2 - Perform Automated Backups" | ||
description = "Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data." | ||
children = [ | ||
control.dynamodb_table_in_backup_plan, | ||
control.dynamodb_table_point_in_time_recovery_enabled, | ||
control.ebs_volume_in_backup_plan, | ||
control.ec2_instance_ebs_optimized, | ||
control.efs_file_system_in_backup_plan, | ||
control.elasticache_redis_cluster_automatic_backup_retention_15_days, | ||
control.rds_db_instance_backup_enabled, | ||
control.rds_db_instance_in_backup_plan, | ||
control.redshift_cluster_automatic_snapshots_min_7_days, | ||
control.redshift_cluster_maintenance_settings_check, | ||
control.s3_bucket_cross_region_replication_enabled, | ||
control.s3_bucket_versioning_enabled | ||
] | ||
|
||
tags = local.cis_controls_v8_ig1_common_tags | ||
} | ||
|
||
benchmark "cis_controls_v8_ig1_11_3" { | ||
title = "11.3 - Protect Recovery Data" | ||
description = "Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements." | ||
children = [ | ||
control.ebs_volume_encryption_at_rest_enabled, | ||
control.ec2_ebs_default_encryption_enabled, | ||
control.rds_db_instance_encryption_at_rest_enabled, | ||
] | ||
|
||
tags = local.cis_controls_v8_ig1_common_tags | ||
} | ||
|
||
benchmark "cis_controls_v8_ig1_11_4" { | ||
title = "11.4 - Establish and Maintain an Isolated Instance of Recovery Data" | ||
description = "Establish and maintain an isolated instance of recovery data. Example implementations include, version controlling backup destinations through offline, cloud, or off-site systems or services." | ||
children = [ | ||
control.dynamodb_table_in_backup_plan, | ||
control.dynamodb_table_point_in_time_recovery_enabled, | ||
control.ebs_volume_in_backup_plan, | ||
control.ec2_instance_ebs_optimized, | ||
control.efs_file_system_in_backup_plan, | ||
control.elasticache_redis_cluster_automatic_backup_retention_15_days, | ||
control.rds_db_instance_backup_enabled, | ||
control.rds_db_instance_in_backup_plan, | ||
control.redshift_cluster_automatic_snapshots_min_7_days, | ||
control.redshift_cluster_maintenance_settings_check, | ||
control.s3_bucket_cross_region_replication_enabled, | ||
control.s3_bucket_versioning_enabled | ||
] | ||
|
||
tags = local.cis_controls_v8_ig1_common_tags | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
benchmark "cis_controls_v8_ig1_12" { | ||
title = "12 Network Infrastructure Management" | ||
description = "Establish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points." | ||
children = [ | ||
benchmark.cis_controls_v8_ig1_12_1 | ||
] | ||
|
||
tags = local.cis_controls_v8_ig1_common_tags | ||
} | ||
|
||
benchmark "cis_controls_v8_ig1_12_1" { | ||
title = "12.1 - Ensure Network Infrastructure is Up-to-Date" | ||
description = "Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support." | ||
children = [ | ||
control.ec2_instance_ssm_managed, | ||
control.ssm_managed_instance_compliance_patch_compliant | ||
] | ||
|
||
tags = local.cis_controls_v8_ig1_common_tags | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
benchmark "cis_controls_v8_ig1_13" { | ||
title = "13 Network Monitoring and Defense" | ||
description = "Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base." | ||
children = [ | ||
benchmark.cis_controls_v8_ig1_13_1, | ||
benchmark.cis_controls_v8_ig1_13_3, | ||
benchmark.cis_controls_v8_ig1_13_6 | ||
] | ||
|
||
tags = local.cis_controls_v8_ig1_common_tags | ||
} | ||
|
||
benchmark "cis_controls_v8_ig1_13_1" { | ||
title = "13.1 - Perform Application Layer Filtering" | ||
children = [ | ||
control.apigateway_stage_use_waf_web_acl, | ||
control.guardduty_enabled, | ||
control.securityhub_enabled | ||
] | ||
|
||
tags = local.cis_controls_v8_ig1_common_tags | ||
} | ||
|
||
benchmark "cis_controls_v8_ig1_13_3" { | ||
title = "13.3 - Ensure Network Infrastructure is Up-to-Date" | ||
children = [ | ||
control.guardduty_enabled | ||
] | ||
|
||
tags = local.cis_controls_v8_ig1_common_tags | ||
} | ||
|
||
benchmark "cis_controls_v8_ig1_13_6" { | ||
title = "13.6 - Collect Network Traffic Flow Logs" | ||
children = [ | ||
control.vpc_flow_logs_enabled, | ||
control.wafv2_web_acl_logging_enabled | ||
] | ||
|
||
tags = local.cis_controls_v8_ig1_common_tags | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
benchmark "cis_controls_v8_ig1_16" { | ||
title = "16 Application Software Security" | ||
description = "Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise." | ||
children = [ | ||
benchmark.cis_controls_v8_ig1_16_1, | ||
benchmark.cis_controls_v8_ig1_16_12 | ||
] | ||
|
||
tags = local.cis_controls_v8_ig1_common_tags | ||
} | ||
|
||
benchmark "cis_controls_v8_ig1_16_1" { | ||
title = "16.1 - Establish and Maintain a Secure Application Development Process" | ||
description = "Deploy and maintain anti-malware software on all enterprise assets." | ||
children = [ | ||
control.codebuild_project_artifact_encryption_enabled, | ||
control.codebuild_project_environment_privileged_mode_disabled, | ||
control.codebuild_project_logging_enabled, | ||
control.codebuild_project_plaintext_env_variables_no_sensitive_aws_values, | ||
control.codebuild_project_source_repo_oauth_configured | ||
] | ||
|
||
tags = local.cis_controls_v8_ig1_common_tags | ||
} | ||
|
||
benchmark "cis_controls_v8_ig1_16_12" { | ||
title = "16.12 - Implement Code-Level Security Checks" | ||
children = [ | ||
control.codebuild_project_artifact_encryption_enabled, | ||
control.codebuild_project_environment_privileged_mode_disabled, | ||
control.codebuild_project_logging_enabled, | ||
control.codebuild_project_plaintext_env_variables_no_sensitive_aws_values, | ||
control.codebuild_project_source_repo_oauth_configured | ||
] | ||
|
||
tags = local.cis_controls_v8_ig1_common_tags | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
benchmark "cis_controls_v8_ig1_3" { | ||
title = "3 Data Protection" | ||
description = "Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data." | ||
children = [ | ||
benchmark.cis_controls_v8_ig1_3_3, | ||
benchmark.cis_controls_v8_ig1_3_4 | ||
] | ||
|
||
tags = local.cis_controls_v8_ig1_common_tags | ||
} | ||
|
||
benchmark "cis_controls_v8_ig1_3_3" { | ||
title = "3.3 - Configure Data Access Control Lists" | ||
description = "Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications." | ||
children = [ | ||
control.autoscaling_launch_config_public_ip_disabled, | ||
control.cloudwatch_log_group_retention_period_365, | ||
control.dms_replication_instance_not_publicly_accessible, | ||
control.ebs_snapshot_not_publicly_restorable, | ||
control.ec2_instance_iam_profile_attached, | ||
control.ec2_instance_in_vpc, | ||
control.ec2_instance_not_publicly_accessible, | ||
control.ec2_instance_uses_imdsv2, | ||
control.ecs_task_definition_user_for_host_mode_check, | ||
control.eks_cluster_endpoint_restrict_public_access, | ||
control.emr_cluster_kerberos_enabled, | ||
control.emr_cluster_master_nodes_no_public_ip, | ||
control.es_domain_in_vpc, | ||
control.iam_all_policy_no_service_wild_card, | ||
control.iam_group_not_empty, | ||
control.iam_group_user_role_no_inline_policies, | ||
control.iam_managed_policy_attached_to_role, | ||
control.iam_policy_no_star_star, | ||
control.iam_policy_unused, | ||
control.iam_root_user_no_access_keys, | ||
control.iam_user_in_group, | ||
control.iam_user_no_inline_attached_policies, | ||
control.lambda_function_in_vpc, | ||
control.lambda_function_restrict_public_access, | ||
control.rds_db_instance_prohibit_public_access, | ||
control.rds_db_snapshot_prohibit_public_access, | ||
control.redshift_cluster_prohibit_public_access, | ||
control.s3_bucket_policy_restricts_cross_account_permission_changes, | ||
control.s3_bucket_restrict_public_read_access, | ||
control.s3_bucket_restrict_public_write_access, | ||
control.s3_public_access_block_account, | ||
control.s3_public_access_block_bucket, | ||
control.sagemaker_notebook_instance_direct_internet_access_disabled, | ||
control.vpc_subnet_auto_assign_public_ip_disabled | ||
] | ||
|
||
tags = local.cis_controls_v8_ig1_common_tags | ||
} | ||
|
||
benchmark "cis_controls_v8_ig1_3_4" { | ||
title = "3.4 - Enforce Data Retention" | ||
description = "Retain data according to the enterprise’s data management process. Data retention must include both minimum and maximum timelines." | ||
children = [ | ||
control.cloudwatch_log_group_retention_period_365 | ||
] | ||
|
||
tags = local.cis_controls_v8_ig1_common_tags | ||
} |
Oops, something went wrong.