turbot · misraved · Dec 8, 2021 · Nov 29, 2021 · Nov 29, 2021 · Nov 29, 2021
diff --git a/conformance_pack/apigateway.sp b/conformance_pack/apigateway.sp
@@ -30,4 +30,24 @@ control "apigateway_stage_logging_enabled" {
     rbi_cyber_security = "true"
     soc_2              = "true"
   })
+}
+
+control "apigateway_rest_api_stage_use_ssl_certificate" {
+  title       = "API Gateway stage should uses SSL certificate"
+  description = "Ensure if a REST API stage uses a Secure Sockets Layer (SSL) certificate. This rule is complaint if the REST API stage does not have an associated SSL certificate."
+  sql         = query.apigateway_rest_api_stage_use_ssl_certificate.sql
+
+  tags = merge(local.conformance_pack_apigateway_common_tags, {
+    rbi_cyber_security = "true"
+  })
+}
+
+control "apigateway_stage_use_waf_web_acl" {
+  title       = "API Gateway stage should be associated with waf"
+  description = "Ensure if an Amazon API Gateway API stage is using a WAF Web ACL. This rule is non complaint if an AWS WAF Web ACL is not used."
+  sql         = query.apigateway_stage_use_waf_web_acl.sql
+
+  tags = merge(local.conformance_pack_apigateway_common_tags, {
+    rbi_cyber_security = "true"
+  })
 }
diff --git a/conformance_pack/autoscaling.sp b/conformance_pack/autoscaling.sp
@@ -14,4 +14,14 @@ control "autoscaling_group_with_lb_use_health_check" {
     nist_800_53_rev_4 = "true"
     nist_csf          = "true"
   })
+}
+
+control "autoscaling_launch_config_public_ip_disabled" {
+  title       = "Auto Scaling launch config public IP should be disabled"
+  description = "Ensure if Amazon EC2 Auto Scaling groups have public IP addresses enabled through Launch Configurations. This rule is non complaint if the Launch Configuration for an Auto Scaling group has AssociatePublicIpAddress set to 'true'."
+  sql         = query.autoscaling_launch_config_public_ip_disabled.sql
+
+  tags = merge(local.conformance_pack_autoscaling_common_tags, {
+    rbi_cyber_security = "true"
+  })
 }
diff --git a/conformance_pack/elb.sp b/conformance_pack/elb.sp
@@ -106,3 +106,13 @@ control "elb_classic_lb_cross_zone_load_balancing_enabled" {
     nist_csf          = "true"
   })
 }
+
+control "elb_application_network_lb_use_ssl_certificate" {
+  title       = "ELB application and network load balancers should only use SSL or HTTPS listeners"
+  description = "Ensure if Application Load Balancers and Network Load Balancers are configured to use certificates from AWS Certificate Manager (ACM). This rule is complaint if at least 1 load balancer is configured without a certificate from ACM."
+  sql         = query.elb_application_network_lb_use_ssl_certificate.sql
+
+  tags = merge(local.conformance_pack_elb_common_tags, {
+    rbi_cyber_security = "true"
+  })
+}
diff --git a/conformance_pack/es.sp b/conformance_pack/es.sp
@@ -42,4 +42,14 @@ control "es_domain_node_to_node_encryption_enabled" {
     nist_800_53_rev_4  = "true"
     rbi_cyber_security = "true"
   })
+}
+
+control "es_domain_logs_to_cloudwatch" {
+  title       = "Elasticsearch domain should send logs to cloudWatch"
+  description = "Ensure if Amazon OpenSearch Service (OpenSearch Service) domains are configured to send logs to Amazon CloudWatch Logs. The rule is complaint if a log is enabled for an OpenSearch Service domain. This rule is non complain if logging is not configured."
+  sql         = query.es_domain_logs_to_cloudwatch.sql
+
+  tags = merge(local.conformance_pack_es_common_tags, {
+    rbi_cyber_security = "true"
+  })
 }
diff --git a/conformance_pack/iam.sp b/conformance_pack/iam.sp
@@ -276,3 +276,13 @@ control "iam_account_password_policy_one_symbol" {
     hipaa = "true"
   })
 }
+
+control "iam_all_policy_no_service_wild_card" {
+  title       = "Ensure IAM policy should not grant full access to service"
+  description = "Checks if AWS Identity and Access Management (IAM) policies grant permissions to all actions on individual AWS resources. The rule is non complaint if the managed IAM policy allows full access to at least 1 AWS service."
+  sql         = query.iam_all_policy_no_service_wild_card.sql
+
+  tags = merge(local.conformance_pack_iam_common_tags, {
+    rbi_cyber_security = "true"
+  })
+}
diff --git a/conformance_pack/rds.sp b/conformance_pack/rds.sp
@@ -168,4 +168,14 @@ control "rds_db_instance_protected_by_backup_plan" {
     nist_csf = "true"
     soc_2    = "true"
   })
+}
+
+control "rds_db_instance_automatic_minor_version_upgrade_enabled" {
+  title       = "RDS DB instance automatic minor version upgrade should be enabled"
+  description = "Ensure if Amazon Relational Database Service (RDS) database instances are configured for automatic minor version upgrades. The rule is NON_COMPLIANT if the value of 'autoMinorVersionUpgrade' is false."
+  sql         = query.rds_db_instance_automatic_minor_version_upgrade_enabled.sql
+
+  tags = merge(local.conformance_pack_rds_common_tags, {
+    rbi_cyber_security = "true"
+  })
 }
diff --git a/conformance_pack/redshift.sp b/conformance_pack/redshift.sp
@@ -52,9 +52,30 @@ control "redshift_cluster_automatic_snapshots_min_7_days" {
   sql         = query.redshift_cluster_automatic_snapshots_min_7_days.sql
 
   tags = merge(local.conformance_pack_redshift_common_tags, {
-    gdpr     = "true"
-    hipaa    = "true"
-    nist_csf = "true"
-    sco_2    = "true"
+    gdpr               = "true"
+    hipaa              = "true"
+    nist_csf           = "true"
+    rbi_cyber_security = "true"
+    sco_2              = "true"
+  })
+}
+
+control "redshift_cluster_kms_enabled" {
+  title       = "Amazon Redshift clusters should be encrypted with KMS"
+  description = "Ensure if Amazon Redshift clusters are using a specified AWS Key Management Service (AWS KMS) key for encryption. The rule is complaint if encryption is enabled and the cluster is encrypted with the key provided in the kmsKeyArn parameter. The rule is non complaint if the cluster is not encrypted or encrypted with another key."
+  sql         = query.redshift_cluster_kms_enabled.sql
+
+  tags = merge(local.conformance_pack_redshift_common_tags, {
+    rbi_cyber_security = "true"
+  })
+}
+
+control "redshift_cluster_maintenance_settings_check" {
+  title       = "Amazon Redshift should have required maintenance settings"
+  description = "Ensure whether Amazon Redshift clusters have the specified maintenance settings. Redshift clusters `allowVersionUpgrade` should be set to `true` and `automatedSnapshotRetentionPeriod` should be greater than 7."
+  sql         = query.redshift_cluster_maintenance_settings_check.sql
+
+  tags = merge(local.conformance_pack_redshift_common_tags, {
+    rbi_cyber_security = "true"
   })
 }
diff --git a/conformance_pack/s3.sp b/conformance_pack/s3.sp
@@ -146,7 +146,8 @@ control "s3_bucket_default_encryption_enabled_kms" {
   sql         = query.s3_bucket_default_encryption_enabled_kms.sql
 
   tags = merge(local.conformance_pack_s3_common_tags, {
-    gdpr  = "true"
-    hipaa = "true"
+    gdpr               = "true"
+    hipaa              = "true"
+    rbi_cyber_security = "true"
   })
 }
diff --git a/conformance_pack/securityhub.sp b/conformance_pack/securityhub.sp
@@ -10,9 +10,10 @@ control "securityhub_enabled" {
   sql         = query.securityhub_enabled.sql
 
   tags = merge(local.conformance_pack_securityhub_common_tags, {
-    hipaa             = "true"
-    nist_800_53_rev_4 = "true"
-    nist_csf          = "true"
-    soc_2             = "true"
+    hipaa              = "true"
+    nist_800_53_rev_4  = "true"
+    nist_csf           = "true"
+    rbi_cyber_security = "true"
+    soc_2              = "true"
   })
 }
diff --git a/conformance_pack/ssm.sp b/conformance_pack/ssm.sp
@@ -43,4 +43,4 @@ control "ssm_managed_instance_compliance_patch_compliant" {
     rbi_cyber_security = "true"
     soc_2              = "true"
   })
-}
+}
diff --git a/conformance_pack/vpc.sp b/conformance_pack/vpc.sp
@@ -123,6 +123,17 @@ control "vpc_subnet_auto_assign_public_ip_disabled" {
   sql         = query.vpc_subnet_auto_assign_public_ip_disabled.sql
 
   tags = merge(local.conformance_pack_vpc_common_tags, {
-    nist_csf = "true"
+    nist_csf           = "true"
+    rbi_cyber_security = "true"
+  })
+}
+
+control "vpc_route_table_restrict_public_access_to_igw" {
+  title       = "VPC route table should restrict public access to IGW"
+  description = "Ensure if there are public routes in the route table to an Internet Gateway (IGW). The rule is complaint if a route to an IGW has a destination CIDR block of '0.0.0.0/0' or '::/0' or if a destination CIDR block does not match the rule parameter."
+  sql         = query.vpc_route_table_restrict_public_access_to_igw.sql
+
+  tags = merge(local.conformance_pack_vpc_common_tags, {
+    rbi_cyber_security = "true"
   })
-}
+}
diff --git a/query/apigateway/apigateway_rest_api_stage_use_ssl_certificate.sql b/query/apigateway/apigateway_rest_api_stage_use_ssl_certificate.sql
@@ -6,7 +6,7 @@ select
     else 'ok'
   end as status,
   case
-    when client_certificate_id is null then title || ' not uses SSL certificate.'
+    when client_certificate_id is null then title || ' does not use SSL certificate.'
     else title || ' uses SSL certificate.'
   end as reason,
   -- Additional Dimensions

diff --git a/query/autoscaling/autoscaling_launch_config_public_ip_disabled.sql b/query/autoscaling/autoscaling_launch_config_public_ip_disabled.sql
@@ -0,0 +1,16 @@
+select
+  -- Required Columns
+  launch_configuration_arn as resource,
+  case
+    when associate_public_ip_address then 'alarm'
+    else 'ok'
+  end as status,
+  case
+    when associate_public_ip_address then title || ' public IP enabled.'
+    else title || ' public IP disabled.'
+  end as reason,
+  -- Additional Dimensions
+  region,
+  account_id
+from
+  aws_ec2_launch_configuration;
diff --git a/query/elb/elb_application_network_lb_use_ssl_certificate.sql b/query/elb/elb_application_network_lb_use_ssl_certificate.sql
@@ -0,0 +1,45 @@
+ with listeners_without_certificate as (
+  select
+    load_balancer_arn,
+    count(*) as count
+  from
+    aws_ec2_load_balancer_listener
+  where arn not in
+    ( select arn from aws_ec2_load_balancer_listener, jsonb_array_elements(certificates) as c
+      where c ->> 'CertificateArn' like 'arn:aws:acm%' )
+  group by load_balancer_arn
+),
+all_application_network_load_balacer as (
+  select
+    arn,
+    account_id,
+    region,
+    title
+  from
+    aws_ec2_application_load_balancer
+  union
+  select
+    arn,
+    account_id,
+    region,
+    title
+  from
+    aws_ec2_network_load_balancer
+)
+select
+  -- Required Columns
+  a.arn as resource,
+  case
+    when b.load_balancer_arn is null then 'ok'
+    else 'alarm'
+  end as status,
+  case
+    when b.load_balancer_arn is null then a.title || ' uses certificates provided by ACM.'
+    else a.title || ' has ' || b.count || ' listeners which do not use certificates provided by ACM.'
+  end as reason,
+  -- Additional Dimensions
+  a.region,
+  a.account_id
+from
+  all_application_network_load_balacer as a
+  left join listeners_without_certificate as b on a.arn = b.load_balancer_arn;
diff --git a/query/elb/elb_classic_lb_use_ssl_certificate.sql b/query/elb/elb_classic_lb_use_ssl_certificate.sql
@@ -18,7 +18,7 @@ select
   end as status,
   case
     when a.listener_descriptions is null then a.title || ' has no listener.'
-    when b.name is not null then a.title || ' not uses certificates provided by ACM.'
+    when b.name is not null then a.title || ' does not use certificates provided by ACM.'
     else a.title || ' uses certificates provided by ACM.'
   end as reason,
   -- Additional Dimensions

diff --git a/query/es/es_domain_logs_to_cloudwatch.sql b/query/es/es_domain_logs_to_cloudwatch.sql
@@ -0,0 +1,39 @@
+select
+  -- Required Columns
+  arn as resource,
+  case
+    when
+      ( log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true'
+        and log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null
+      )
+      and
+      ( log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'true'
+        and log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null
+      )
+      and
+      ( log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'true'
+        and log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null
+      )
+       then 'ok'
+    else 'alarm'
+  end as status,
+  case
+    when
+      ( log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true'
+        and log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null
+      )
+      and
+      ( log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'true'
+        and log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null
+      )
+      and
+      ( log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'true'
+        and log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null
+      ) then title || ' logging enabled for search , index and error.'
+    else title || ' logging not enabled for all search, index and error.'
+  end as reason,
+  -- Additional Dimensions
+  region,
+  account_id
+from
+  aws_elasticsearch_domain;
diff --git a/query/iam/iam_all_policy_no_service_wild_card.sql b/query/iam/iam_all_policy_no_service_wild_card.sql
@@ -0,0 +1,31 @@
+with wildcard_action_policies as (
+  select
+    arn,
+    count(*) as statements_num
+  from
+    aws_iam_policy,
+    jsonb_array_elements(policy_std -> 'Statement') as s,
+    jsonb_array_elements_text(s -> 'Resource') as resource,
+    jsonb_array_elements_text(s -> 'Action') as action
+  where
+    is_aws_managed = 'false'
+    and s ->> 'Effect' = 'Allow'
+    and resource = '*'
+    and action like '%:*'
+  group by
+    arn
+)
+select
+  -- Required Columns
+  a.arn as resource,
+  case
+    when b.arn is null then 'ok'
+    else 'alarm'
+  end status,
+  a.name || ' contains ' || coalesce(b.statements_num,0)  ||
+     ' statements that allow action "Service:*" on resource "*".' as reason,
+  -- Additional Dimensions
+  a.account_id
+from
+  aws_iam_policy as a
+  left join wildcard_action_policies as b on a.arn = b.arn;
diff --git a/query/redshift/redshift_cluster_kms_enabled.sql b/query/redshift/redshift_cluster_kms_enabled.sql
@@ -0,0 +1,16 @@
+select
+  -- Required Columns
+  'arn:aws:redshift:' || region || ':' || account_id || ':' || 'cluster' || ':' || cluster_identifier as resource,
+  case
+    when encrypted and kms_key_id is not null then 'ok'
+    else 'alarm'
+  end as status,
+  case
+    when encrypted and kms_key_id is not null then title || ' encrypted with KMS.'
+    else title || ' not encrypted with KMS'
+  end as reason,
+  -- Additional Dimensions
+  region,
+  account_id
+from
+  aws_redshift_cluster;
diff --git a/query/redshift/redshift_cluster_maintenance_settings_check.sql b/query/redshift/redshift_cluster_maintenance_settings_check.sql
@@ -0,0 +1,16 @@
+select
+  -- Required Columns
+  'arn:aws:redshift:' || region || ':' || account_id || ':' || 'cluster' || ':' || cluster_identifier as resource,
+  case
+    when allow_version_upgrade and automated_snapshot_retention_period >= 7 then 'ok'
+    else 'alarm'
+  end as status,
+  case
+    when allow_version_upgrade and automated_snapshot_retention_period >= 7 then title || ' has the required maintenance settings.'
+    else title || ' does not have required maintenance settings.'
+  end as reason,
+  -- Additional Dimensions
+  region,
+  account_id
+from
+  aws_redshift_cluster;