Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vpc_security_group_associated.sql added with distinct to filter security groups and nist_csf_pr_ds_3 now uses new query. Closes#282 #283

Merged
merged 2 commits into from
Sep 23, 2021
Merged

vpc_security_group_associated.sql added with distinct to filter security groups and nist_csf_pr_ds_3 now uses new query. Closes#282 #283

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
70d0b3e
vpc_security_group_associated.sql added with distinct to filter secu…
rajlearner17 Sep 16, 2021
fca0ae9
Updated query format
rajlearner17 Sep 22, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions conformance_pack/vpc.sp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,10 +102,10 @@ control "vpc_eip_associated" {
})
}

control "vpc_security_group_associated" {
control "vpc_security_group_associated_to_eni" {
title = "VPC security groups should be associated with at least one ENI"
description = "This rule ensures the security groups are attached to an Amazon Elastic Compute Cloud (Amazon EC2) instance or to an ENI. This rule helps monitoring unused security groups in the inventory and the management of your environment."
sql = query.vpc_security_group_associated.sql
sql = query.vpc_security_group_associated_to_eni.sql

tags = merge(local.conformance_pack_ec2_common_tags, {
nist_csf = "true"
Expand Down
2 changes: 1 addition & 1 deletion nist_csf/function_pr.sp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -220,7 +220,7 @@ benchmark "nist_csf_pr_ds_3" {
control.ec2_instance_ssm_managed,
control.ssm_managed_instance_compliance_association_compliant,
control.vpc_eip_associated,
control.vpc_security_group_associated,
control.vpc_security_group_associated_to_eni,
]

tags = local.nist_csf_common_tags
Expand Down
4 changes: 3 additions & 1 deletion query/vpc/vpc_security_group_associated.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
-- This also addresses, Lambda in VPC.
-- As Lambda creates an elastic network interface for each subnet in your function's VPC configuration.
with associated_sg as (
select
sg ->> 'GroupId' as secgrp_id,
Expand All @@ -8,7 +10,7 @@ with associated_sg as (
)
select
-- Required Columns
s.arn as resource,
distinct s.arn as resource,
case
when a.secgrp_id = s.group_id then 'ok'
else 'alarm'
Expand Down
26 changes: 26 additions & 0 deletions query/vpc/vpc_security_group_associated_to_eni.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
with associated_sg as (
select
count(sg ->> 'GroupId'),
sg ->> 'GroupId' as secgrp_id
from
aws_ec2_network_interface,
jsonb_array_elements(groups) as sg
group by sg ->> 'GroupId'
)
select
-- Required Columns
distinct s.arn as resource,
case
when a.secgrp_id = s.group_id then 'ok'
else 'alarm'
end as status,
case
when a.secgrp_id = s.group_id then s.title || ' is associated with ' || a.count || ' ENI(s).'
else s.title || ' not associated to any ENI.'
end as reason,
-- Additional Dimensions
s.region,
s.account_id
from
aws_vpc_security_group as s
left join associated_sg as a on s.group_id = a.secgrp_id;