Merge pull request #580 from turbot/release/v0.57

Release/v0.57

CHANGELOG.md

@@ -1,3 +1,20 @@
+## v0.57 [2023-03-10]
+
+_Dependencies_
+
+- AWS plugin `v0.95.0` or higher is now required. ([#579](https://github.com/turbot/steampipe-mod-aws-compliance/pull/579))
+
+_What's new?_
+
+- Added CIS Controls v8 IG1 benchmark (`steampipe check benchmark.cis_controls_v8_ig1`). ([#568](https://github.com/turbot/steampipe-mod-aws-compliance/pull/568))
+- Add 30 new controls to Other Compliance Checks benchmark. ([#563](https://github.com/turbot/steampipe-mod-aws-compliance/pull/563))
+
+_Bug fixes_
+
+- Fixed the `cloudtrail_multi_region_trail_enabled` query to correctly evaluate organizational trails. ([#552](https://github.com/turbot/steampipe-mod-aws-compliance/pull/552))
+- Fixed `s3_bucket_restrict_*` queries to correctly check if buckets prohibit public read access or not. ([#548](https://github.com/turbot/steampipe-mod-aws-compliance/pull/548))
+- Fixed `s3_bucket_acls_should_prohibit_user_access` query to correctly evaluate a bucket to be in `ok` state if it does not have ACLs for user access. ([#549](https://github.com/turbot/steampipe-mod-aws-compliance/pull/549))
+
 ## v0.56 [2023-02-03]
 
 _Bug fixes_

README.md

@@ -9,10 +9,12 @@ Or in a terminal:
 ![image](https://raw.githubusercontent.com/turbot/steampipe-mod-aws-compliance/main/docs/aws_cis_v140_console.png)
 
 Includes support for:
+* [AWS CIS Controls v8 IG1](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.cis_controls_v8_ig1) 🚀 New!
 * [AWS CIS v1.2.0](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.cis_v120) 🚀 New!
 * [AWS CIS v1.3.0](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.cis_v130)
 * [AWS CIS v1.4.0](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.cis_v140)
 * [AWS CIS v1.5.0](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.cis_v150)
+* [AWS Foundational Security Best Practices](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.foundational_security)
 * [Audit Manager Control Tower](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.control_tower)
 * [CISA Cyber Essentials](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.cisa_cyber_essentials)
 * [FedRAMP Low Revision 4](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.fedramp_low_rev_4)
@@ -22,13 +24,12 @@ Includes support for:
 * [GxP 21 CFR Part 11](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.gxp_21_cfr_part_11)
 * [GxP EU Annex 11](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.gxp_eu_annex_11)
 * [HIPAA](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.hipaa)
+* [NIST 800-171 Revision 2](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_800_171_rev_2)
 * [NIST 800-53 Revision 4](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_800_53_rev_4)
 * [NIST 800-53 Revision 5](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_800_53_rev_5)
-* [NIST 800-171 Revision 2](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_800_171_rev_2)
 * [NIST Cybersecurity Framework (CSF)](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_csf)
 * [Other Compliance Checks](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.other)
 * [PCI DSS v3.2.1](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.pci_v321)
-* [AWS Foundational Security Best Practices](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.foundational_security)
 * [Reserve Bank of India (RBI) Cyber Security Framework](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.rbi_cyber_security)
 * [SOC 2](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.soc_2)
 

cis_controls_v8_ig1/cis.sp

@@ -0,0 +1,30 @@
+locals {
+  cis_controls_v8_ig1_common_tags = merge(local.aws_compliance_common_tags, {
+    cis_controls_v8_ig1 = "true"
+    type                = "Benchmark"
+  })
+}
+
+benchmark "cis_controls_v8_ig1" {
+  title         = "CIS Controls v8 IG1"
+  description   = "The CIS Critical Security Controls (CIS Controls) are a prioritized set of Safeguards to mitigate the most prevalent cyber-attacks against systems and networks. They are mapped to and referenced by multiple legal, regulatory, and policy frameworks."
+  documentation = file("./cis_controls_v8_ig1/docs/cis_overview.md")
+  children = [
+    benchmark.cis_controls_v8_ig1_1,
+    benchmark.cis_controls_v8_ig1_3,
+    benchmark.cis_controls_v8_ig1_4,
+    benchmark.cis_controls_v8_ig1_5,
+    benchmark.cis_controls_v8_ig1_6,
+    benchmark.cis_controls_v8_ig1_7,
+    benchmark.cis_controls_v8_ig1_8,
+    benchmark.cis_controls_v8_ig1_10,
+    benchmark.cis_controls_v8_ig1_11,
+    benchmark.cis_controls_v8_ig1_12,
+    benchmark.cis_controls_v8_ig1_13,
+    benchmark.cis_controls_v8_ig1_16
+  ]
+
+  tags = merge(local.cis_controls_v8_ig1_common_tags, {
+    type = "Benchmark"
+  })
+}

cis_controls_v8_ig1/cis_controls_v8_ig1_1.sp

@@ -0,0 +1,34 @@
+benchmark "cis_controls_v8_ig1_1" {
+  title       = "1 Inventory and Control of Enterprise Assets"
+  description = "Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate."
+  children = [
+    benchmark.cis_controls_v8_ig1_1_1,
+    benchmark.cis_controls_v8_ig1_1_2
+  ]
+
+  tags = local.cis_controls_v8_ig1_common_tags
+}
+
+benchmark "cis_controls_v8_ig1_1_1" {
+  title       = "1.1 - Establish and Maintain Detailed Enterprise Asset Inventory"
+  description = "Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently."
+  children = [
+    control.ec2_stopped_instance_30_days,
+    control.ssm_managed_instance_compliance_association_compliant,
+    control.vpc_eip_associated,
+    control.vpc_network_acl_unused,
+    control.vpc_security_group_associated_to_eni
+  ]
+
+  tags = local.cis_controls_v8_ig1_common_tags
+}
+
+benchmark "cis_controls_v8_ig1_1_2" {
+  title       = "1.2 - Address Unauthorized Assets"
+  description = "Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset."
+  children = [
+    control.guardduty_enabled
+  ]
+
+  tags = local.cis_controls_v8_ig1_common_tags
+}

cis_controls_v8_ig1/cis_controls_v8_ig1_10.sp

@@ -0,0 +1,30 @@
+benchmark "cis_controls_v8_ig1_10" {
+  title       = "10 Malware Defenses"
+  description = "Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets."
+  children = [
+    benchmark.cis_controls_v8_ig1_10_1,
+    benchmark.cis_controls_v8_ig1_10_2
+  ]
+
+  tags = local.cis_controls_v8_ig1_common_tags
+}
+
+benchmark "cis_controls_v8_ig1_10_1" {
+  title       = "10.1 - Deploy and Maintain Anti-Malware Software"
+  description = "Deploy and maintain anti-malware software on all enterprise assets."
+  children = [
+    control.guardduty_enabled
+  ]
+
+  tags = local.cis_controls_v8_ig1_common_tags
+}
+
+benchmark "cis_controls_v8_ig1_10_2" {
+  title       = "10.2 - Configure Automatic Anti-Malware Signature Updates"
+  description = "Configure automatic updates for anti-malware signature files on all enterprise assets."
+  children = [
+    control.guardduty_enabled
+  ]
+
+  tags = local.cis_controls_v8_ig1_common_tags
+}

cis_controls_v8_ig1/cis_controls_v8_ig1_11.sp

@@ -0,0 +1,65 @@
+benchmark "cis_controls_v8_ig1_11" {
+  title       = "11 Data Recovery"
+  description = "Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state."
+  children = [
+    benchmark.cis_controls_v8_ig1_11_2,
+    benchmark.cis_controls_v8_ig1_11_3,
+    benchmark.cis_controls_v8_ig1_11_4
+  ]
+
+  tags = local.cis_controls_v8_ig1_common_tags
+}
+
+benchmark "cis_controls_v8_ig1_11_2" {
+  title       = "11.2 - Perform Automated Backups"
+  description = "Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data."
+  children = [
+    control.dynamodb_table_in_backup_plan,
+    control.dynamodb_table_point_in_time_recovery_enabled,
+    control.ebs_volume_in_backup_plan,
+    control.ec2_instance_ebs_optimized,
+    control.efs_file_system_in_backup_plan,
+    control.elasticache_redis_cluster_automatic_backup_retention_15_days,
+    control.rds_db_instance_backup_enabled,
+    control.rds_db_instance_in_backup_plan,
+    control.redshift_cluster_automatic_snapshots_min_7_days,
+    control.redshift_cluster_maintenance_settings_check,
+    control.s3_bucket_cross_region_replication_enabled,
+    control.s3_bucket_versioning_enabled
+  ]
+
+  tags = local.cis_controls_v8_ig1_common_tags
+}
+
+benchmark "cis_controls_v8_ig1_11_3" {
+  title       = "11.3 - Protect Recovery Data"
+  description = "Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements."
+  children = [
+    control.ebs_volume_encryption_at_rest_enabled,
+    control.ec2_ebs_default_encryption_enabled,
+    control.rds_db_instance_encryption_at_rest_enabled,
+  ]
+
+  tags = local.cis_controls_v8_ig1_common_tags
+}
+
+benchmark "cis_controls_v8_ig1_11_4" {
+  title       = "11.4 - Establish and Maintain an Isolated Instance of Recovery Data"
+  description = "Establish and maintain an isolated instance of recovery data. Example implementations include, version controlling backup destinations through offline, cloud, or off-site systems or services."
+  children = [
+    control.dynamodb_table_in_backup_plan,
+    control.dynamodb_table_point_in_time_recovery_enabled,
+    control.ebs_volume_in_backup_plan,
+    control.ec2_instance_ebs_optimized,
+    control.efs_file_system_in_backup_plan,
+    control.elasticache_redis_cluster_automatic_backup_retention_15_days,
+    control.rds_db_instance_backup_enabled,
+    control.rds_db_instance_in_backup_plan,
+    control.redshift_cluster_automatic_snapshots_min_7_days,
+    control.redshift_cluster_maintenance_settings_check,
+    control.s3_bucket_cross_region_replication_enabled,
+    control.s3_bucket_versioning_enabled
+  ]
+
+  tags = local.cis_controls_v8_ig1_common_tags
+}

cis_controls_v8_ig1/cis_controls_v8_ig1_12.sp

@@ -0,0 +1,20 @@
+benchmark "cis_controls_v8_ig1_12" {
+  title       = "12 Network Infrastructure Management"
+  description = "Establish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points."
+  children = [
+    benchmark.cis_controls_v8_ig1_12_1
+  ]
+
+  tags = local.cis_controls_v8_ig1_common_tags
+}
+
+benchmark "cis_controls_v8_ig1_12_1" {
+  title       = "12.1 - Ensure Network Infrastructure is Up-to-Date"
+  description = "Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support."
+  children = [
+    control.ec2_instance_ssm_managed,
+    control.ssm_managed_instance_compliance_patch_compliant
+  ]
+
+  tags = local.cis_controls_v8_ig1_common_tags
+}

cis_controls_v8_ig1/cis_controls_v8_ig1_13.sp

@@ -0,0 +1,41 @@
+benchmark "cis_controls_v8_ig1_13" {
+  title       = "13 Network Monitoring and Defense"
+  description = "Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base."
+  children = [
+    benchmark.cis_controls_v8_ig1_13_1,
+    benchmark.cis_controls_v8_ig1_13_3,
+    benchmark.cis_controls_v8_ig1_13_6
+  ]
+
+  tags = local.cis_controls_v8_ig1_common_tags
+}
+
+benchmark "cis_controls_v8_ig1_13_1" {
+  title       = "13.1 - Perform Application Layer Filtering"
+  children = [
+    control.apigateway_stage_use_waf_web_acl,
+    control.guardduty_enabled,
+    control.securityhub_enabled
+  ]
+
+  tags = local.cis_controls_v8_ig1_common_tags
+}
+
+benchmark "cis_controls_v8_ig1_13_3" {
+  title       = "13.3 - Ensure Network Infrastructure is Up-to-Date"
+  children = [
+    control.guardduty_enabled
+  ]
+
+  tags = local.cis_controls_v8_ig1_common_tags
+}
+
+benchmark "cis_controls_v8_ig1_13_6" {
+  title       = "13.6 - Collect Network Traffic Flow Logs"
+  children = [
+    control.vpc_flow_logs_enabled,
+    control.wafv2_web_acl_logging_enabled
+  ]
+
+  tags = local.cis_controls_v8_ig1_common_tags
+}

cis_controls_v8_ig1/cis_controls_v8_ig1_16.sp

@@ -0,0 +1,37 @@
+benchmark "cis_controls_v8_ig1_16" {
+  title       = "16 Application Software Security"
+  description = "Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise."
+  children = [
+    benchmark.cis_controls_v8_ig1_16_1,
+    benchmark.cis_controls_v8_ig1_16_12
+  ]
+
+  tags = local.cis_controls_v8_ig1_common_tags
+}
+
+benchmark "cis_controls_v8_ig1_16_1" {
+  title       = "16.1 - Establish and Maintain a Secure Application Development Process"
+  description = "Deploy and maintain anti-malware software on all enterprise assets."
+  children = [
+    control.codebuild_project_artifact_encryption_enabled,
+    control.codebuild_project_environment_privileged_mode_disabled,
+    control.codebuild_project_logging_enabled,
+    control.codebuild_project_plaintext_env_variables_no_sensitive_aws_values,
+    control.codebuild_project_source_repo_oauth_configured
+  ]
+
+  tags = local.cis_controls_v8_ig1_common_tags
+}
+
+benchmark "cis_controls_v8_ig1_16_12" {
+  title       = "16.12 - Implement Code-Level Security Checks"
+  children = [
+    control.codebuild_project_artifact_encryption_enabled,
+    control.codebuild_project_environment_privileged_mode_disabled,
+    control.codebuild_project_logging_enabled,
+    control.codebuild_project_plaintext_env_variables_no_sensitive_aws_values,
+    control.codebuild_project_source_repo_oauth_configured
+  ]
+
+  tags = local.cis_controls_v8_ig1_common_tags
+}

cis_controls_v8_ig1/cis_controls_v8_ig1_3.sp

@@ -0,0 +1,63 @@
+benchmark "cis_controls_v8_ig1_3" {
+  title       = "3 Data Protection"
+  description = "Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data."
+  children = [
+    benchmark.cis_controls_v8_ig1_3_3,
+    benchmark.cis_controls_v8_ig1_3_4
+  ]
+
+  tags = local.cis_controls_v8_ig1_common_tags
+}
+
+benchmark "cis_controls_v8_ig1_3_3" {
+  title       = "3.3 - Configure Data Access Control Lists"
+  description = "Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications."
+  children = [
+    control.autoscaling_launch_config_public_ip_disabled,
+    control.cloudwatch_log_group_retention_period_365,
+    control.dms_replication_instance_not_publicly_accessible,
+    control.ebs_snapshot_not_publicly_restorable,
+    control.ec2_instance_iam_profile_attached,
+    control.ec2_instance_in_vpc,
+    control.ec2_instance_not_publicly_accessible,
+    control.ec2_instance_uses_imdsv2,
+    control.ecs_task_definition_user_for_host_mode_check,
+    control.eks_cluster_endpoint_restrict_public_access,
+    control.emr_cluster_kerberos_enabled,
+    control.emr_cluster_master_nodes_no_public_ip,
+    control.es_domain_in_vpc,
+    control.iam_all_policy_no_service_wild_card,
+    control.iam_group_not_empty,
+    control.iam_group_user_role_no_inline_policies,
+    control.iam_managed_policy_attached_to_role,
+    control.iam_policy_no_star_star,
+    control.iam_policy_unused,
+    control.iam_root_user_no_access_keys,
+    control.iam_user_in_group,
+    control.iam_user_no_inline_attached_policies,
+    control.lambda_function_in_vpc,
+    control.lambda_function_restrict_public_access,
+    control.rds_db_instance_prohibit_public_access,
+    control.rds_db_snapshot_prohibit_public_access,
+    control.redshift_cluster_prohibit_public_access,
+    control.s3_bucket_policy_restricts_cross_account_permission_changes,
+    control.s3_bucket_restrict_public_read_access,
+    control.s3_bucket_restrict_public_write_access,
+    control.s3_public_access_block_account,
+    control.s3_public_access_block_bucket,
+    control.sagemaker_notebook_instance_direct_internet_access_disabled,
+    control.vpc_subnet_auto_assign_public_ip_disabled
+  ]
+
+  tags = local.cis_controls_v8_ig1_common_tags
+}
+
+benchmark "cis_controls_v8_ig1_3_4" {
+  title       = "3.4 - Enforce Data Retention"
+  description = "Retain data according to the enterprise’s data management process. Data retention must include both minimum and maximum timelines."
+  children = [
+    control.cloudwatch_log_group_retention_period_365
+  ]
+
+  tags = local.cis_controls_v8_ig1_common_tags
+}