Initial other-checks benchmark

conformance_pack/acm.sp

@@ -22,3 +22,23 @@ control "acm_certificate_expires_30_days" {
     soc_2                  = "true"
   })
 }
+
+control "acm_certificate_transparency_logging_enabled" {
+  title       = "ACM certificates transparency logging should be enabled"
+  description = "Ensure ACM certificates transparency logging is enabled as certificate transparency logging guards against SSL/TLS certificates issued by mistake or by a compromised certificate authority."
+  sql         = query.acm_certificate_transparency_logging_enabled.sql
+
+  tags = merge(local.conformance_pack_acm_common_tags, {
+    other_checks = "true"
+  })
+}
+
+control "acm_certificate_no_wildcard_domain_name" {
+  title       = "ACM certificates should not use wildcard certificates"
+  description = "Ensure that ACM single domain name certificates are used instead of wildcard certificates within your AWS account in order to follow security best practices and protect each domain/subdomain with its own unique private key."
+  sql         = query.acm_certificate_no_wildcard_domain_name.sql
+
+  tags = merge(local.conformance_pack_acm_common_tags, {
+    other_checks = "true"
+  })
+}

conformance_pack/apigateway.sp

@@ -64,3 +64,13 @@ control "apigateway_stage_use_waf_web_acl" {
     rbi_cyber_security     = "true"
   })
 }
+
+control "apigateway_rest_api_authorizers_configured" {
+  title       = "API Gateway stages should have authorizers configured"
+  description = "Ensure if API Gateway stages have authorizers configured."
+  sql         = query.apigateway_rest_api_authorizers_configured.sql
+
+  tags = merge(local.conformance_pack_apigateway_common_tags, {
+    other_checks = "true"
+  })
+}

conformance_pack/autoscaling.sp

@@ -33,3 +33,14 @@ control "autoscaling_launch_config_public_ip_disabled" {
     rbi_cyber_security     = "true"
   })
 }
+
+control "autoscaling_group_no_suspended_process" {
+  title       = "Auto Scaling groups should not have any suspended processes"
+  description = "Ensure there are no Auto Scaling Groups (ASGs) with suspended processes  provisioned in your AWS account  in order to avoid disrupting the auto scaling workflow."
+  sql         = query.autoscaling_group_no_suspended_processe.sql
+
+  tags = merge(local.conformance_pack_autoscaling_common_tags, {
+    other_checks = "true"
+  })
+}
+

conformance_pack/cloudformation.sp

@@ -0,0 +1,36 @@
+locals {
+  conformance_pack_cloudformation_common_tags = merge(local.aws_compliance_common_tags, {
+    service = "AWS/CloudFormation"
+  })
+}
+
+control "cloudformation_stack_output_no_secrets" {
+  title       = "CloudFormation stacks output should not have any secrets"
+  description = "Ensure CloudFormation stacks outputs does not contain any secrets like user names, passwords, and tokens. This is recommended to remove secrtes as outputs cannot be encrypted resulting in any entity with basic read-metadata-only and access to CloudFormation outputs having access to these secrets."
+  sql         = query.cloudformation_stack_output_no_secrets.sql
+
+  tags = merge(local.conformance_pack_cloudformation_common_tags, {
+    other_checks = "true"
+  })
+}
+
+control "cloudformation_stack_notifications_enabled" {
+  title       = "CloudFormation stacks notifications should be enabled"
+  description = "Ensure CloudFormation stacks are associated with an SNS topic in order to receive notifications when an event occurs."
+  sql         = query.cloudformation_stack_notifications_enabled.sql
+
+  tags = merge(local.conformance_pack_cloudformation_common_tags, {
+    other_checks = "true"
+  })
+}
+
+control "cloudformation_stack_rollback_enabled" {
+  title       = "CloudFormation stacks rollback should be enabled"
+  description = "Ensure CloudFormation stacks rollback are enabled. Rollback triggers enable you to have AWS CloudFormation monitor the state of your application during stack creation and updating, and to roll back that operation if the application breaches the threshold of any of the alarms you've specified."
+  sql         = query.cloudformation_stack_rollback_enabled.sql
+
+  tags = merge(local.conformance_pack_cloudformation_common_tags, {
+    other_checks = "true"
+  })
+}
+

conformance_pack/cloudfront.sp

@@ -10,7 +10,17 @@ control "cloudfront_distribution_encryption_in_transit_enabled" {
   sql         = query.cloudfront_distribution_encryption_in_transit_enabled.sql
 
   tags = merge(local.conformance_pack_cloudfront_common_tags, {
-    gdpr = "true"
+    gdpr  = "true"
     hipaa = "true"
   })
-}
+}
+
+control "cloudfront_distribution_geo_restrictions_enabled" {
+  title       = "CloudFront distributions geo restrictions should be enabled"
+  description = "Geographic restrictions is used to restrict access to all of the files that are associated with a distribution and to restrict access at the country level."
+  sql         = query.cloudfront_distribution_geo_restrictions_enabled.sql
+
+  tags = merge(local.conformance_pack_cloudfront_common_tags, {
+    other_checks = "true"
+  })
+}

conformance_pack/ec2.sp

@@ -134,3 +134,43 @@ control "ec2_instance_iam_profile_attached" {
     nist_800_53_rev_5 = "true"
   })
 }
+
+control "ec2_instance_publicly_accessible_iam_profile_attached" {
+  title       = "EC2 public instances should have IAM profile attached"
+  description = "Ensure if an Amazon Elastic Compute Cloud (Amazon EC2) public instances has an Identity and Access Management (IAM) profile attached to it. This rule is non compliant if no IAM profile is attached to public Amazon EC2 instance."
+  sql         = query.ec2_instance_publicly_accessible_iam_profile_attached.sql
+
+  tags = merge(local.conformance_pack_ec2_common_tags, {
+    other_checks = "true"
+  })
+}
+
+control "ec2_instance_user_data_no_secrets" {
+  title       = "EC2 instances user data should not have secrets"
+  description = "User data is a metadata field of an EC2 instance that allows custom code to run after the instance is launched. It contains code exposed to any entity which has the most basic access to EC2, even read-only configurations. This is recommended to not use secrets in user data."
+  sql         = query.ec2_instance_user_data_no_secrets.sql
+
+  tags = merge(local.conformance_pack_ec2_common_tags, {
+    other_checks = "true"
+  })
+}
+
+control "ec2_transit_gateway_auto_cross_account_attachment_disabled" {
+  title       = "EC2 transit gateways auto accept shared attachments should be disabled"
+  description = "Ensure if Transit Gateways auto accept shared attachments is disabled. If this setting is disabled, then any VPC that attempts to attach to the transit gateway will need to request authorization, and the account that owns the Transit Gateway will need to accept the authorization."
+  sql         = query.ec2_transit_gateway_auto_cross_account_attachment_disabled.sql
+
+  tags = merge(local.conformance_pack_ec2_common_tags, {
+    other_checks = "true"
+  })
+}
+
+control "ec2_instance_no_launch_wizard_security_group" {
+  title       = "EC2 instances should not be attached to 'launch wizard' security groups"
+  description = "Ensure that EC2 instances provisioned in your AWS account are not associated with security groups that have their name prefixed with 'launch-wizard', in order to enforce using secure and custom security groups that exercise the principle of least privilege."
+  sql         = query.ec2_instance_no_launch_wizard_security_group.sql
+
+  tags = merge(local.conformance_pack_ec2_common_tags, {
+    other_checks = "true"
+  })
+}

conformance_pack/ecr.sp

@@ -0,0 +1,26 @@
+locals {
+  conformance_pack_ecr_common_tags = merge(local.aws_compliance_common_tags, {
+    service = "AWS/ECR"
+  })
+}
+
+control "ecr_repository_image_scan_on_push_enabled" {
+  title       = "ECR repositories image scan on push should be enabled"
+  description = "Ensure if a Amazon Elastic Container Registry (ECR) repositories has image scanning enabled. The rule is non compliant if image scanning is not enabled for the private ECR repository."
+  sql         = query.ecr_repository_image_scan_on_push_enabled.sql
+
+  tags = merge(local.conformance_pack_ecr_common_tags, {
+    other_checks = "true"
+  })
+}
+
+control "ecr_repository_prohibit_public_access" {
+  title       = "ECR repositories should prohibit public access"
+  description = "Ensure there are no ECR repositories set as public."
+  sql         = query.ecr_repository_prohibit_public_access.sql
+
+  tags = merge(local.conformance_pack_ecr_common_tags, {
+    other_checks = "true"
+  })
+}
+

conformance_pack/ecs.sp

@@ -16,3 +16,13 @@ control "ecs_task_definition_user_for_host_mode_check" {
     nist_800_53_rev_5      = "true"
   })
 }
+
+control "ecs_task_definition_logging_enabled" {
+  title       = "ECS task definitions logging should be enabled"
+  description = "Ensure if task definitions logging is enabled to access your containerized application logs for debugging and auditing purposes. On top of centralized logging, these log drivers often include additional capabilities that are useful for operation"
+  sql         = query.ecs_task_definition_logging_enabled.sql
+
+  tags = merge(local.conformance_pack_ecs_common_tags, {
+    other_checks = "true"
+  })
+}

conformance_pack/efs.sp

@@ -49,3 +49,23 @@ control "efs_file_system_protected_by_backup_plan" {
     soc_2                  = "true"
   })
 }
+
+control "efs_file_system_encrypted_with_cmk" {
+  title       = "EFS file systems should be encrypted with CMK"
+  description = "Ensure if Amazon Elastic File Systems (Amazon EFS) are encrypted using CMK. The rule is non complaint if the EFS File System is not encrypted using CMK."
+  sql         = query.efs_file_system_encrypted_with_cmk.sql
+
+  tags = merge(local.conformance_pack_efs_common_tags, {
+    other_checks = "true"
+  })
+}
+
+control "efs_file_system_enforces_ssl" {
+  title       = "EFS file systems should enforce SSL"
+  description = "To help protect data in transit, ensure that your EFS file systems require requests to use Secure Socket Layer (SSL)."
+  sql         = query.efs_file_system_enforces_ssl.sql
+
+  tags = merge(local.conformance_pack_efs_common_tags, {
+    other_checks = "true"
+  })
+}

conformance_pack/eks.sp

@@ -23,3 +23,23 @@ control "eks_cluster_endpoint_restrict_public_access" {
     nist_csf = "true"
   })
 }
+
+control "eks_cluster_control_plane_audit_logging_enabled" {
+  title       = "EKS clusters control panel audit logging should be enabled"
+  description = "Amazon EKS control plane audit logging should be enabled. These logs make it easy to secure and run clusters."
+  sql         = query.eks_cluster_control_plane_audit_logging_enabled.sql
+
+  tags = merge(local.conformance_pack_eks_common_tags, {
+    other_checks = "true"
+  })
+}
+
+control "eks_cluster_no_default_vpc" {
+  title       = "EKS clusters should not be configured within a default VPC"
+  description = "Ensure to configure a new VPC for your EKS cluster as default VPC comes with a default configuration that lacks the proper security controls. Your network should be well configured and follow the least privilege principle, meaning only the necessary privileges are granted."
+  sql         = query.eks_cluster_no_default_vpc.sql
+
+  tags = merge(local.conformance_pack_eks_common_tags, {
+    other_checks = "true"
+  })
+}

conformance_pack/elb.sp

@@ -148,3 +148,34 @@ control "elb_application_network_lb_use_ssl_certificate" {
     rbi_cyber_security     = "true"
   })
 }
+
+control "elb_listener_use_secure_ssl_cipher" {
+  title       = "ELB listeners should use secure SSL cipher"
+  description = "Ensure that ELB listeners does not have any insecure SSL ciphers. Using insecure and deprecated ciphers for your ELB Predefined Security Policy or Custom Security Policy could make the SSL connection between the client and the load balancer vulnerable to exploits."
+  sql         = query.elb_listener_use_secure_ssl_cipher.sql
+
+  tags = merge(local.conformance_pack_elb_common_tags, {
+    other_checks = "true"
+  })
+}
+
+control "elb_application_classic_network_lb_prohibit_public_access" {
+  title       = "ELB load balancers should prohibit public access"
+  description = "An internet-facing load balancer has a publicly resolvable DNS name, so it can route requests from clients over the internet to the EC2 instances that are registered with the load balancer."
+  sql         = query.elb_application_classic_network_lb_prohibit_public_access.sql
+
+  tags = merge(local.conformance_pack_elb_common_tags, {
+    other_checks = "true"
+  })
+}
+
+control "elb_application_classic_lb_with_outbound_rule" {
+  title       = "ELB application and classic load balancer should have at leat one outbound rule"
+  description = "Ensure application and classic load balancers have at leat one outbound rule in all the attached security groups. A security group without any outbound rules rejects all outgoing traffic. This means that all outgoing traffic originating from your cloud assets (instances, containers, etc.) will be dropped when it reaches the ELB layer."
+  sql         = query.elb_application_classic_lb_with_outbound_rule.sql
+
+  tags = merge(local.conformance_pack_elb_common_tags, {
+    other_checks = "true"
+  })
+}
+

conformance_pack/es.sp

@@ -56,8 +56,8 @@ control "es_domain_node_to_node_encryption_enabled" {
 }
 
 control "es_domain_logs_to_cloudwatch" {
-  title       = "Elasticsearch domain should send logs to CloudWatch"
-  description = "Ensure if Amazon OpenSearch Service (OpenSearch Service) domains are configured to send logs to Amazon CloudWatch Logs. The rule is complaint if a log is enabled for an OpenSearch Service domain. This rule is non complain if logging is not configured."
+  title       = "Elasticsearch domain should send logs to cloudWatch"
+  description = "Ensure if Amazon OpenSearch Service (OpenSearch Service) domains are configured to send logs to Amazon CloudWatch Logs. The rule is complaint if a log is enabled for an OpenSearch Service domain. This rule is non compliant if logging is not configured."
   sql         = query.es_domain_logs_to_cloudwatch.sql
 
   tags = merge(local.conformance_pack_es_common_tags, {
@@ -68,3 +68,23 @@ control "es_domain_logs_to_cloudwatch" {
     rbi_cyber_security     = "true"
   })
 }
+
+control "es_domain_cognito_authentication_enabled" {
+  title       = "Elasticsearch domains cognito authentication should be enabled"
+  description = "Amazon Elasticsearch service uses Amazon Cognito to offer user name and password protection for Kibana. This control is non compliant if Amazon Cognito authentication is not enabled."
+  sql         = query.es_domain_cognito_authentication_enabled.sql
+
+  tags = merge(local.conformance_pack_es_common_tags, {
+    other_checks = "true"
+  })
+}
+
+control "es_domain_internal_user_database_enabled" {
+  title       = "Elasticsearch domains internal user database should be enabled"
+  description = "Ensure if Elasticsearch domains internal user database should be enabled. This control is non compliant if domains internal user database is not enabled."
+  sql         = query.es_domain_internal_user_database_enabled.sql
+
+  tags = merge(local.conformance_pack_es_common_tags, {
+    other_checks = "true"
+  })
+}

conformance_pack/glue.sp

@@ -0,0 +1,67 @@
+locals {
+  conformance_pack_glue_common_tags = {
+    service = "AWS/Glue"
+  }
+}
+
+control "glue_dev_endpoint_cloudwatch_logs_encryption_enabled" {
+  title       = "Glue dev endpoints cloudWatch logs encryption should be enabled"
+  description = "Ensure if glue dev endpoint cloudWatch logs encryption is enabled to protect sensitive information at rest."
+  sql         = query.glue_dev_endpoint_cloudwatch_logs_encryption_enabled.sql
+
+  tags = merge(local.conformance_pack_fsx_common_tags, {
+    other_checks = "true"
+  })
+}
+
+control "glue_dev_endpoint_job_bookmarks_encryption_enabled" {
+  title       = "Glue dev endpoint job bookmarks encryption should be enabled"
+  description = "Ensure if glue dev endpoint job bookmrks encryption is enabled to protect sensitive information at rest."
+  sql         = query.glue_dev_endpoint_job_bookmarks_encryption_enabled.sql
+
+  tags = merge(local.conformance_pack_fsx_common_tags, {
+    other_checks = "true"
+  })
+}
+
+control "glue_dev_endpoint_s3_encryption_enabled" {
+  title       = "Glue dev endpoints S3 encryption should be enabled"
+  description = "Ensure if glue dev endpoint S3 encryption is enabled to protect sensitive information at rest."
+  sql         = query.glue_dev_endpoint_s3_encryption_enabled.sql
+
+  tags = merge(local.conformance_pack_fsx_common_tags, {
+    other_checks = "true"
+  })
+}
+
+control "glue_job_cloudwatch_logs_encryption_enabled" {
+  title       = "Glue jobs CloudWatch logs encryption should be enabled"
+  description = "Ensure if glue job cloudWatch logs encryption is enabled to protect sensitive information at rest."
+  sql         = query.glue_job_cloudwatch_logs_encryption_enabled.sql
+
+  tags = merge(local.conformance_pack_fsx_common_tags, {
+    other_checks = "true"
+  })
+}
+
+control "glue_job_bookmarks_encryption_enabled" {
+  title       = "Glue jobs bookmarks encryption should be enabled"
+  description = "Ensure if glue job bookmarks encryption is enabled to protect sensitive information at rest."
+  sql         = query.glue_job_bookmarks_encryption_enabled.sql
+
+  tags = merge(local.conformance_pack_fsx_common_tags, {
+    other_checks = "true"
+  })
+}
+
+control "glue_job_s3_encryption_enabled" {
+  title       = "Glue jobs S3 encryption should be enabled"
+  description = "Ensure if glue job S3 encryption is enabled to protect sensitive information at rest."
+  sql         = query.glue_job_s3_encryption_enabled.sql
+
+  tags = merge(local.conformance_pack_fsx_common_tags, {
+    other_checks = "true"
+  })
+}
+
+