From 07b675791797588347f2e80eb942e55e4fa561f8 Mon Sep 17 00:00:00 2001
From: Khushboo <khushboo@turbot.com>
Date: Wed, 13 Jul 2022 19:59:19 +0530
Subject: [PATCH 1/4] initial commit

---
 foundational_security/autoscaling.sp          | 28 ++++++++
 foundational_security/cloudfront.sp           | 16 ++++-
 .../foundational_security_autoscaling_3.md    | 11 +++
 .../foundational_security_autoscaling_4.md    | 11 +++
 .../foundational_security_cloudfront_10.md    |  9 +++
 .../docs/foundational_security_ec2_24.md      | 11 +++
 .../docs/foundational_security_ec2_27.md      |  9 +++
 .../docs/foundational_security_ecr_2.md       |  9 +++
 .../docs/foundational_security_ecs_10.md      |  9 +++
 .../docs/foundational_security_ecs_3.md       |  9 +++
 .../docs/foundational_security_ecs_4.md       |  9 +++
 .../docs/foundational_security_ecs_5.md       | 17 +++++
 .../docs/foundational_security_ecs_8.md       |  9 +++
 .../docs/foundational_security_efs_3.md       |  9 +++
 .../docs/foundational_security_efs_4.md       |  9 +++
 .../docs/foundational_security_eks.md         |  3 +
 .../docs/foundational_security_eks_2.md       |  9 +++
 .../docs/foundational_security_elb_12.md      |  9 +++
 foundational_security/ec2.sp                  | 29 +++++++-
 foundational_security/ecr.sp                  | 14 ++++
 foundational_security/ecs.sp                  | 71 ++++++++++++++++++-
 foundational_security/efs.sp                  | 30 +++++++-
 foundational_security/eks.sp                  | 30 ++++++++
 foundational_security/elb.sp                  | 14 ++++
 .../autoscaling_launch_config_hop_limit.sql   | 16 +++++
 ...oscaling_launch_config_requires_imdsv2.sql | 16 +++++
 ...istribution_no_deprecated_ssl_protocol.sql | 27 +++++++
 query/ec2/ec2_instance_no_amazon_key_pair.sql | 18 +++++
 ...nce_virtualization_type_no_paravirtual.sql | 16 +++++
 ...cr_repository_tag_immutability_enabled.sql | 16 +++++
 ..._fargate_using_latest_platform_version.sql | 18 +++++
 ...nition_container_environment_no_secret.sql | 33 +++++++++
 ...sk_definition_container_non_privileged.sql | 26 +++++++
 ...ion_container_readonly_root_filesystem.sql | 26 +++++++
 .../ecs_task_definition_no_host_pid_mode.sql  | 16 +++++
 ...fs_access_point_enforce_root_directory.sql | 16 +++++
 ...efs_access_point_enforce_user_identity.sql | 16 +++++
 ...cluster_with_latest_kubernetes_version.sql | 16 +++++
 ..._application_lb_desync_mitigation_mode.sql | 25 +++++++
 39 files changed, 681 insertions(+), 4 deletions(-)
 create mode 100644 foundational_security/docs/foundational_security_autoscaling_3.md
 create mode 100644 foundational_security/docs/foundational_security_autoscaling_4.md
 create mode 100644 foundational_security/docs/foundational_security_cloudfront_10.md
 create mode 100644 foundational_security/docs/foundational_security_ec2_24.md
 create mode 100644 foundational_security/docs/foundational_security_ec2_27.md
 create mode 100644 foundational_security/docs/foundational_security_ecr_2.md
 create mode 100644 foundational_security/docs/foundational_security_ecs_10.md
 create mode 100644 foundational_security/docs/foundational_security_ecs_3.md
 create mode 100644 foundational_security/docs/foundational_security_ecs_4.md
 create mode 100644 foundational_security/docs/foundational_security_ecs_5.md
 create mode 100644 foundational_security/docs/foundational_security_ecs_8.md
 create mode 100644 foundational_security/docs/foundational_security_efs_3.md
 create mode 100644 foundational_security/docs/foundational_security_efs_4.md
 create mode 100644 foundational_security/docs/foundational_security_eks.md
 create mode 100644 foundational_security/docs/foundational_security_eks_2.md
 create mode 100644 foundational_security/docs/foundational_security_elb_12.md
 create mode 100644 foundational_security/eks.sp
 create mode 100644 query/autoscaling/autoscaling_launch_config_hop_limit.sql
 create mode 100644 query/autoscaling/autoscaling_launch_config_requires_imdsv2.sql
 create mode 100644 query/cloudfront/cloudfront_distribution_no_deprecated_ssl_protocol.sql
 create mode 100644 query/ec2/ec2_instance_no_amazon_key_pair.sql
 create mode 100644 query/ec2/ec2_instance_virtualization_type_no_paravirtual.sql
 create mode 100644 query/ecr/ecr_repository_tag_immutability_enabled.sql
 create mode 100644 query/ecs/ecs_service_fargate_using_latest_platform_version.sql
 create mode 100644 query/ecs/ecs_task_definition_container_environment_no_secret.sql
 create mode 100644 query/ecs/ecs_task_definition_container_non_privileged.sql
 create mode 100644 query/ecs/ecs_task_definition_container_readonly_root_filesystem.sql
 create mode 100644 query/ecs/ecs_task_definition_no_host_pid_mode.sql
 create mode 100644 query/efs/efs_access_point_enforce_root_directory.sql
 create mode 100644 query/efs/efs_access_point_enforce_user_identity.sql
 create mode 100644 query/eks/eks_cluster_with_latest_kubernetes_version.sql
 create mode 100644 query/elb/elb_application_lb_desync_mitigation_mode.sql

diff --git a/foundational_security/autoscaling.sp b/foundational_security/autoscaling.sp
index 6bcd7343..6d99d03d 100644
--- a/foundational_security/autoscaling.sp
+++ b/foundational_security/autoscaling.sp
@@ -10,6 +10,8 @@ benchmark "foundational_security_autoscaling" {
   children = [
     control.foundational_security_autoscaling_1,
     control.foundational_security_autoscaling_2,
+    control.foundational_security_autoscaling_3,
+    control.foundational_security_autoscaling_4,
     control.foundational_security_autoscaling_5
   ]
 
@@ -44,6 +46,32 @@ control "foundational_security_autoscaling_2" {
   })
 }
 
+control "foundational_security_autoscaling_3" {
+  title         = "3 Auto Scaling group should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)"
+  description   = "This control checks whether IMDSv2 is enabled on all instances launched by Amazon EC2 Auto Scaling groups. The control fails if the Instance Metadata Service (IMDS) version is not included in the launch configuration or if both IMDSv1 and IMDSv2 are enabled."
+  severity      = "high"
+  sql           = query.autoscaling_launch_config_requires_imdsv2.sql
+  documentation = file("./foundational_security/docs/foundational_security_autoscaling_3.md")
+
+  tags = merge(local.foundational_security_autoscaling_common_tags, {
+    foundational_security_item_id  = "autoscaling_3"
+    foundational_security_category = "secure_network_configuration"
+  })
+}
+
+control "foundational_security_autoscaling_4" {
+  title         = "4 Auto Scaling group launch configuration should not have metadata response hop limit greater than 1"
+  description   = "This control checks the number of network hops that a metadata token can travel. The control fails if the metadata response hop limit is greater than 1."
+  severity      = "high"
+  sql           = query.autoscaling_launch_config_requires_imdsv2.sql
+  documentation = file("./foundational_security/docs/foundational_security_autoscaling_4.md")
+
+  tags = merge(local.foundational_security_autoscaling_common_tags, {
+    foundational_security_item_id  = "autoscaling_4"
+    foundational_security_category = "secure_network_configuration"
+  })
+}
+
 control "foundational_security_autoscaling_5" {
   title         = "5 Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses"
   description   = "This control checks whether an Auto Scaling groups associated launch configuration assigns a public IP address to the group’s instances."
diff --git a/foundational_security/cloudfront.sp b/foundational_security/cloudfront.sp
index 2e95dd14..c6bcfc00 100644
--- a/foundational_security/cloudfront.sp
+++ b/foundational_security/cloudfront.sp
@@ -16,7 +16,8 @@ benchmark "foundational_security_cloudfront" {
     control.foundational_security_cloudfront_6,
     control.foundational_security_cloudfront_7,
     control.foundational_security_cloudfront_8,
-    control.foundational_security_cloudfront_9
+    control.foundational_security_cloudfront_9,
+    control.foundational_security_cloudfront_10
   ]
 
   tags = merge(local.foundational_security_cloudfront_common_tags, {
@@ -140,3 +141,16 @@ control "foundational_security_cloudfront_9" {
     foundational_security_category = "encryption_of_data_in_transit"
   })
 }
+
+control "foundational_security_cloudfront_10" {
+  title         = "10 CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins"
+  description   = "This control checks if Amazon CloudFront distributions are using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and your custom origins. This control fails if a CloudFront distribution has a CustomOriginConfig where OriginSslProtocols includes SSLv3."
+  severity      = "medium"
+  sql           = query.cloudfront_distribution_no_deprecated_ssl_protocol.sql
+  documentation = file("./foundational_security/docs/foundational_security_cloudfront_10.md")
+
+  tags = merge(local.foundational_security_cloudfront_common_tags, {
+    foundational_security_item_id  = "cloudfront_10"
+    foundational_security_category = "encryption_of_data_in_transit"
+  })
+}
diff --git a/foundational_security/docs/foundational_security_autoscaling_3.md b/foundational_security/docs/foundational_security_autoscaling_3.md
new file mode 100644
index 00000000..fa623e17
--- /dev/null
+++ b/foundational_security/docs/foundational_security_autoscaling_3.md
@@ -0,0 +1,11 @@
+## Description
+
+This control checks whether IMDSv2 is enabled on all instances launched by Amazon EC2 Auto Scaling groups. The control fails if the Instance Metadata Service (IMDS) version is not included in the launch configuration or if both IMDSv1 and IMDSv2 are enabled.
+
+IMDS provides data about your instance that you can use to configure or manage the running instance.
+
+Version 2 of the IMDS adds new protections that weren't available in IMDSv1 to further safeguard your EC2 instances.
+
+## Remediation
+
+An Auto Scaling group is associated with one launch configuration at a time. You cannot modify a launch configuration after you create it. To change the launch configuration for an Auto Scaling group, use an existing launch configuration as the basis for a new launch configuration with IMDSv2 enabled. For more information, see [Configure instance metadata options for new instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-options.html#configuring-IMDS-new-instances) in the Amazon EC2 User Guide for Linux Instances.
diff --git a/foundational_security/docs/foundational_security_autoscaling_4.md b/foundational_security/docs/foundational_security_autoscaling_4.md
new file mode 100644
index 00000000..72eb198a
--- /dev/null
+++ b/foundational_security/docs/foundational_security_autoscaling_4.md
@@ -0,0 +1,11 @@
+## Description
+
+This control checks the number of network hops that a metadata token can travel. The control fails if the metadata response hop limit is greater than 1.
+
+The Instance Metadata Service (IMDS) provides metadata information about an Amazon EC2 instance and is useful for application configuration. Restricting the HTTP PUT response for the metadata service to only the EC2 instance protects the IMDS from unauthorized use.
+
+The Time To Live (TTL) field in the IP packet is reduced by one on every hop. This reduction can be used to ensure that the packet does not travel outside EC2. IMDSv2 protects EC2 instances that may have been misconfigured as open routers, layer 3 firewalls, VPNs, tunnels, or NAT devices, which prevents unauthorized users from retrieving metadata. With IMDSv2, the PUT response that contains the secret token cannot travel outside the instance because the default metadata response hop limit is set to 1. However, if this value is greater than 1, the token can leave the EC2 instance.
+
+## Remediation
+
+For detailed instructions on how to modify the metadata response hop limit for an existing launch configuration, see [Modify instance metadata options for existing instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-options.html#configuring-IMDS-existing-instances) in the Amazon EC2 User Guide for Linux Instances.
\ No newline at end of file
diff --git a/foundational_security/docs/foundational_security_cloudfront_10.md b/foundational_security/docs/foundational_security_cloudfront_10.md
new file mode 100644
index 00000000..54d80616
--- /dev/null
+++ b/foundational_security/docs/foundational_security_cloudfront_10.md
@@ -0,0 +1,9 @@
+## Description
+
+This control checks if Amazon CloudFront distributions are using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and your custom origins. This control fails if a CloudFront distribution has a CustomOriginConfig where OriginSslProtocols includes SSLv3.
+
+In 2015, the Internet Engineering Task Force (IETF) officially announced that SSL 3.0 should be deprecated due to the protocol being insufficiently secure. It is recommended that you use TLSv1.2 or later for HTTPS communication to your custom origins.
+
+## Remediation
+
+To update the Origin SSL Protocols for your CloudFront distributions, see [Requiring HTTPS for communication between CloudFront and your custom origin](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html) in the Amazon CloudFront Developer Guide.
\ No newline at end of file
diff --git a/foundational_security/docs/foundational_security_ec2_24.md b/foundational_security/docs/foundational_security_ec2_24.md
new file mode 100644
index 00000000..7de4978c
--- /dev/null
+++ b/foundational_security/docs/foundational_security_ec2_24.md
@@ -0,0 +1,11 @@
+## Description
+
+This control checks whether the virtualization type of an EC2 instance is paravirtual. The control fails if the virtualizationType of the EC2 instance is set to paravirtual.
+
+Linux Amazon Machine Images (AMIs) use one of two types of virtualization: paravirtual (PV) or hardware virtual machine (HVM). The main differences between PV and HVM AMIs are the way in which they boot and whether they can take advantage of special hardware extensions (CPU, network, and storage) for better performance.
+
+Historically, PV guests had better performance than HVM guests in many cases, but because of enhancements in HVM virtualization and the availability of PV drivers for HVM AMIs, this is no longer true. For more information, see Linux AMI virtualization types in the Amazon EC2 User Guide for Linux Instances.
+
+## Remediation
+
+For information about how to update an EC2 instance to a new instance type, see [Change the instance type](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-resize.html) in the Amazon EC2 User Guide for Linux Instances.
\ No newline at end of file
diff --git a/foundational_security/docs/foundational_security_ec2_27.md b/foundational_security/docs/foundational_security_ec2_27.md
new file mode 100644
index 00000000..1bc2db4e
--- /dev/null
+++ b/foundational_security/docs/foundational_security_ec2_27.md
@@ -0,0 +1,9 @@
+## Description
+
+This control checks whether running EC2 instances are using key pairs. The control fails if a running EC2 instance uses a key pair.
+
+As best practice, we recommend that you reduce the number of credentials in use whenever possible to minimize the risk of compromised credentials and unintended access. EC2 instances without key pairs can still be accessed using AWS Systems Manager Session Manager or browser-based SSH connection via the AWS console. You can also access EC2 instances with a password, but we do not recommend this because it involves credentials similar to key pairs.
+
+## Remediation
+
+To delete a key pair, see [Delete your public key on Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/delete-key-pair.html) in the Amazon EC2 User Guide for Linux Instances.
\ No newline at end of file
diff --git a/foundational_security/docs/foundational_security_ecr_2.md b/foundational_security/docs/foundational_security_ecr_2.md
new file mode 100644
index 00000000..18f25e15
--- /dev/null
+++ b/foundational_security/docs/foundational_security_ecr_2.md
@@ -0,0 +1,9 @@
+## Description
+
+This control checks whether a private ECR repository has tag immutability enabled. This control fails if a private ECR repository has tag immutability disabled. This rule passes if tag immutability is enabled and has the value IMMUTABLE.
+
+Amazon ECR Tag Immutability enables customers to rely on the descriptive tags of an image as a reliable mechanism to track and uniquely identify images. An immutable tag is static, which means each tag refers to a unique image. This improves reliability and scalability as the use of a static tag will always result in the same image being deployed. When configured, tag immutability prevents the tags from being overridden, which reduces the attack surface.
+
+## Remediation
+
+To configure image scanning for an ECR repository, see [Image scanning](https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html) in the Amazon Elastic Container Registry User Guide.
\ No newline at end of file
diff --git a/foundational_security/docs/foundational_security_ecs_10.md b/foundational_security/docs/foundational_security_ecs_10.md
new file mode 100644
index 00000000..a478d499
--- /dev/null
+++ b/foundational_security/docs/foundational_security_ecs_10.md
@@ -0,0 +1,9 @@
+## Description
+
+This control checks if Amazon ECS Fargate services are running the latest Fargate platform version. This control fails if the platform version is not the latest.
+
+AWS Fargate platform versions refer to a specific runtime environment for Fargate task infrastructure, which is a combination of kernel and container runtime versions. New platform versions are released as the runtime environment evolves. For example, a new version may be released for kernel or operating system updates, new features, bug fixes, or security updates. Security updates and patches are deployed automatically for your Fargate tasks. If a security issue is found that affects a platform version, AWS patches the platform version.
+
+## Remediation
+
+To update an existing service, including its platform version, see [Updating a service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/update-service.html) in the Amazon Elastic Container Service Developer Guide.
\ No newline at end of file
diff --git a/foundational_security/docs/foundational_security_ecs_3.md b/foundational_security/docs/foundational_security_ecs_3.md
new file mode 100644
index 00000000..a3c74897
--- /dev/null
+++ b/foundational_security/docs/foundational_security_ecs_3.md
@@ -0,0 +1,9 @@
+## Description
+
+This control checks if Amazon ECS task definitions are configured to share a host’s process namespace with its containers. The control fails if the task definition shares the host's process namespace with the containers running on it.
+
+A process ID (PID) namespace provides separation between processes. It prevents system processes from being visible, and allows PIDs to be reused, including PID 1. If the host’s PID namespace is shared with containers, it would allow containers to see all of the processes on the host system. This reduces the benefit of process level isolation between the host and the containers. These circumstances could lead to unauthorized access to processes on the host itself, including the ability to manipulate and terminate them. Customers shouldn’t share the host’s process namespace with containers running on it.
+
+## Remediation
+
+To configure the pidMode on a task definition, see [Task definition parameters](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_definition_pidmode) in the Amazon Elastic Container Service Developer Guide.
diff --git a/foundational_security/docs/foundational_security_ecs_4.md b/foundational_security/docs/foundational_security_ecs_4.md
new file mode 100644
index 00000000..4e4d377b
--- /dev/null
+++ b/foundational_security/docs/foundational_security_ecs_4.md
@@ -0,0 +1,9 @@
+## Description
+
+This control checks if the privileged parameter in the container definition of Amazon ECS Task Definitions is set to true. The control fails if this parameter is equal to true.
+
+We recommend that you remove elevated privileges from your ECS task definitions. When the privilege parameter is true, the container is given elevated privileges on the host container instance (similar to the root user).
+
+## Remediation
+
+To configure the privileged parameter on a task definition, see [Advanced container definition parameters](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#container_definition_security) in the Amazon Elastic Container Service Developer Guide.
\ No newline at end of file
diff --git a/foundational_security/docs/foundational_security_ecs_5.md b/foundational_security/docs/foundational_security_ecs_5.md
new file mode 100644
index 00000000..63b726b5
--- /dev/null
+++ b/foundational_security/docs/foundational_security_ecs_5.md
@@ -0,0 +1,17 @@
+## Description
+
+This control checks if ECS containers are limited to read-only access to mounted root filesystems. This control fails if the ReadonlyRootFilesystem parameter in the container definition of ECS task definitions is set to false.
+
+Enabling this option reduces security attack vectors since the container instance’s filesystem cannot be tampered with or written to unless it has explicit read-write permissions on its filesystem folder and directories. This control also adheres to the principle of least privilege.
+
+## Remediation
+
+**To limit container definitions to read-only access to root filesystems**
+
+1. Open the [Amazon ECS console](https://console.aws.amazon.com/ecs/).
+2. In the left navigation pane, choose `Task Definitions`.
+3.For each task definition that has container definitions that need to be updated, do the following:
+    - Select the container definition that needs to be updated.
+    - Choose `Edit Container`. For `Storage and Logging`, select `Read only root file system`.
+    - Choose `Update` at the bottom of the `Edit Container` tab.
+    - Choose `Create`.
\ No newline at end of file
diff --git a/foundational_security/docs/foundational_security_ecs_8.md b/foundational_security/docs/foundational_security_ecs_8.md
new file mode 100644
index 00000000..29e3f706
--- /dev/null
+++ b/foundational_security/docs/foundational_security_ecs_8.md
@@ -0,0 +1,9 @@
+## Description
+
+This control checks if the key value of any variables in the environment parameter of container definitions includes AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, or ECS_ENGINE_AUTH_DATA. This control fails if a single environment variable in any container definition equals AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, or ECS_ENGINE_AUTH_DATA. This control does not cover environmental variables passed in from other locations such as Amazon S3.
+
+AWS Systems Manager Parameter Store can help you improve the security posture of your organization. We recommend using the Parameter Store to store secrets and credentials instead of directing passing them into your container instances or hard coding them into your code.
+
+## Remediation
+
+To create parameters using SSM, see [Creating Systems Manager parameters](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-su-create.html)in the AWS Systems Manager User Guide. For more information about creating a task definition that specifies a secret, see [Specifying sensitive data using Secrets Manager](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data-secrets.html#secrets-create-taskdefinition) in the Amazon Elastic Container Service Developer Guide.
\ No newline at end of file
diff --git a/foundational_security/docs/foundational_security_efs_3.md b/foundational_security/docs/foundational_security_efs_3.md
new file mode 100644
index 00000000..ee8f8b0e
--- /dev/null
+++ b/foundational_security/docs/foundational_security_efs_3.md
@@ -0,0 +1,9 @@
+## Description
+
+This control checks if Amazon EFS access points are configured to enforce a root directory. The control fails if the value of Path is set to / (the default root directory of the file system).
+
+When you enforce a root directory, the NFS client using the access point uses the root directory configured on the access point instead of the file system's root directory. Enforcing a root directory for an access point helps restrict data access by ensuring that users of the access point can only reach files of the specified subdirectory.
+
+## Remediation
+
+For instructions on how to enforce a root directory for an Amazon EFS access point, see [Enforcing a root directory with an access point](https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html#enforce-root-directory-access-point) in the Amazon Elastic File System User Guide.
\ No newline at end of file
diff --git a/foundational_security/docs/foundational_security_efs_4.md b/foundational_security/docs/foundational_security_efs_4.md
new file mode 100644
index 00000000..dcb56f04
--- /dev/null
+++ b/foundational_security/docs/foundational_security_efs_4.md
@@ -0,0 +1,9 @@
+## Description
+
+This control checks whether Amazon EFS access points are configured to enforce a user identity. This control fails if a POSIX user identity is not defined while creating the EFS access point.
+
+Amazon EFS access points are application-specific entry points into an EFS file system that make it easier to manage application access to shared datasets. Access points can enforce a user identity, including the user's POSIX groups, for all file system requests that are made through the access point. Access points can also enforce a different root directory for the file system so that clients can only access data in the specified directory or its subdirectories.
+
+## Remediation
+
+To enforce a user identity for an Amazon EFS access point, see [Enforcing a user identity using an access point](https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html#enforce-identity-access-points) in the Amazon Elastic File System User Guide.
\ No newline at end of file
diff --git a/foundational_security/docs/foundational_security_eks.md b/foundational_security/docs/foundational_security_eks.md
new file mode 100644
index 00000000..14d63ba9
--- /dev/null
+++ b/foundational_security/docs/foundational_security_eks.md
@@ -0,0 +1,3 @@
+## Overview
+
+This section contains recommendations for configuring AWS EKS resources and options.
\ No newline at end of file
diff --git a/foundational_security/docs/foundational_security_eks_2.md b/foundational_security/docs/foundational_security_eks_2.md
new file mode 100644
index 00000000..5ce42c48
--- /dev/null
+++ b/foundational_security/docs/foundational_security_eks_2.md
@@ -0,0 +1,9 @@
+## Description
+
+This control checks whether an Amazon EKS cluster is running on a supported Kubernetes version. The control fails if the EKS cluster is running on an unsupported version.
+
+If your application doesn't require a specific version of Kubernetes, we recommend that you use the latest available Kubernetes version that's supported by EKS for your clusters. For more information about supported Kubernetes versions for Amazon EKS, see [Amazon EKS Kubernetes release calendar](https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-release-calendar) and [Amazon EKS version support and FAQ](https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#version-deprecation)/para> in the Amazon EKS User Guide.
+
+## Remediation
+
+To update an EKS cluster, [Updating an Amazon EKS cluster Kubernetes version](https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html)/para> in the Amazon EKS User Guide.
\ No newline at end of file
diff --git a/foundational_security/docs/foundational_security_elb_12.md b/foundational_security/docs/foundational_security_elb_12.md
new file mode 100644
index 00000000..0a8e433c
--- /dev/null
+++ b/foundational_security/docs/foundational_security_elb_12.md
@@ -0,0 +1,9 @@
+## Description
+
+This control checks whether an Application Load Balancer is configured with defensive or strictest desync mitigation mode. The control fails if an Application Load Balancer is not configured with defensive or strictest desync mitigation mode.
+
+HTTP Desync issues can lead to request smuggling and make applications vulnerable to request queue or cache poisoning. In turn, these vulnerabilities can lead to credential hijacking or execution of unauthorized commands. Application Load Balancers configured with defensive or strictest desync mitigation mode protect your application from security issues that may be caused by HTTP Desync.
+
+## Remediation
+
+To update desync mitigation mode of an Application Load Balancer, see [Desync mitigation mode](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html#desync-mitigation-mode) in the User Guide for Application Load Balancers.
\ No newline at end of file
diff --git a/foundational_security/ec2.sp b/foundational_security/ec2.sp
index f68e2e84..b58e3196 100644
--- a/foundational_security/ec2.sp
+++ b/foundational_security/ec2.sp
@@ -23,7 +23,8 @@ benchmark "foundational_security_ec2" {
     control.foundational_security_ec2_18,
     control.foundational_security_ec2_19,
     control.foundational_security_ec2_21,
-    control.foundational_security_ec2_22
+    control.foundational_security_ec2_22,
+    control.foundational_security_ec2_24
   ]
 
   tags = merge(local.foundational_security_ec2_common_tags, {
@@ -237,4 +238,30 @@ control "foundational_security_ec2_22" {
     foundational_security_item_id  = "ec2_22"
     foundational_security_category = "inventory"
   })
+}
+
+control "foundational_security_ec2_24" {
+  title         = "24 Paravirtual EC2 instance types should not be used"
+  description   = "This control checks whether the virtualization type of an EC2 instance is paravirtual. The control fails if the virtualizationType of the EC2 instance is set to paravirtual."
+  severity      = "medium"
+  sql           = query.ec2_instance_virtualization_type_no_paravirtual.sql
+  documentation = file("./foundational_security/docs/foundational_security_ec2_24.md")
+
+  tags = merge(local.foundational_security_ec2_common_tags, {
+    foundational_security_item_id  = "ec2_24"
+    foundational_security_category = "vulnerability_patch_and_version_management"
+  })
+}
+
+control "foundational_security_ec2_27" {
+  title         = "27 Running EC2 Instances should not use key pairs"
+  description   = "This control checks whether running EC2 instances are using key pairs. The control fails if a running EC2 instance uses a key pair."
+  severity      = "high"
+  sql           = query.ec2_instance_no_amazon_key_pair.sql
+  documentation = file("./foundational_security/docs/foundational_security_ec2_27.md")
+
+  tags = merge(local.foundational_security_ec2_common_tags, {
+    foundational_security_item_id  = "ec2_27"
+    foundational_security_category = "resource_configuration"
+  })
 }
\ No newline at end of file
diff --git a/foundational_security/ecr.sp b/foundational_security/ecr.sp
index b1997aed..931ddf4d 100644
--- a/foundational_security/ecr.sp
+++ b/foundational_security/ecr.sp
@@ -8,6 +8,7 @@ benchmark "foundational_security_ecr" {
   title         = "Elastic Container Registry"
   documentation = file("./foundational_security/docs/foundational_security_ecr.md")
   children = [
+    control.foundational_security_ecr_2,
     control.foundational_security_ecr_3
   ]
 
@@ -16,6 +17,19 @@ benchmark "foundational_security_ecr" {
   })
 }
 
+control "foundational_security_ecr_2" {
+  title         = "2 ECR private repositories should have tag immutability configured"
+  description   = "This control checks whether a private ECR repository has tag immutability enabled. This control fails if a private ECR repository has tag immutability disabled. This rule passes if tag immutability is enabled and has the value IMMUTABLE."
+  severity      = "medium"
+  sql           = query.ecr_repository_tag_immutability_enabled.sql
+  documentation = file("./foundational_security/docs/foundational_security_ecr_2.md")
+
+  tags = merge(local.foundational_security_ecr_common_tags, {
+    foundational_security_item_id  = "ecr_2"
+    foundational_security_category = "tagging"
+  })
+}
+
 control "foundational_security_ecr_3" {
   title         = "3 ECR repositories should have at least one lifecycle policy configured"
   description   = "This control checks whether an Amazon ECR repository has at least one lifecycle policy configured. This control fails if an ECR repository does not have any lifecycle policies configured."
diff --git a/foundational_security/ecs.sp b/foundational_security/ecs.sp
index 130b6aab..c51f3005 100644
--- a/foundational_security/ecs.sp
+++ b/foundational_security/ecs.sp
@@ -9,7 +9,11 @@ benchmark "foundational_security_ecs" {
   documentation = file("./foundational_security/docs/foundational_security_ecs.md")
   children = [
     control.foundational_security_ecs_1,
-    control.foundational_security_ecs_2
+    control.foundational_security_ecs_2,
+    control.foundational_security_ecs_3,
+    control.foundational_security_ecs_4,
+    control.foundational_security_ecs_5,
+    control.foundational_security_ecs_8
   ]
 
   tags = merge(local.foundational_security_ecs_common_tags, {
@@ -42,3 +46,68 @@ control "foundational_security_ecs_2" {
     foundational_security_category = "resources_not_publicly_accessible"
   })
 }
+
+control "foundational_security_ecs_3" {
+  title         = "3 ECS task definitions should not share the host's process namespace"
+  description   = "This control checks if Amazon ECS task definitions are configured to share a host’s process namespace with its containers. The control fails if the task definition shares the host's process namespace with the containers running on it."
+  severity      = "high"
+  sql           = query.ecs_task_definition_no_host_pid_mode.sql
+  documentation = file("./foundational_security/docs/foundational_security_ecs_3.md")
+
+  tags = merge(local.foundational_security_ecs_common_tags, {
+    foundational_security_item_id  = "ecs_3"
+    foundational_security_category = "resource_configuration"
+  })
+}
+
+control "foundational_security_ecs_4" {
+  title         = "4 ECS containers should run as non-privileged"
+  description   = "This control checks if the privileged parameter in the container definition of Amazon ECS Task Definitions is set to true. The control fails if this parameter is equal to true."
+  severity      = "high"
+  sql           = query.ecs_task_definition_container_non_privileged.sql
+  documentation = file("./foundational_security/docs/foundational_security_ecs_4.md")
+
+  tags = merge(local.foundational_security_ecs_common_tags, {
+    foundational_security_item_id  = "ecs_4"
+    foundational_security_category = "root_user_access_restrictions"
+  })
+}
+
+control "foundational_security_ecs_5" {
+  title         = "5 ECS containers should be limited to read-only access to root filesystems"
+  description   = "This control checks if ECS containers are limited to read-only access to mounted root filesystems. This control fails if the ReadonlyRootFilesystem parameter in the container definition of ECS task definitions is set to false."
+  severity      = "high"
+  sql           = query.ecs_task_definition_container_readonly_root_filesystem.sql
+  documentation = file("./foundational_security/docs/foundational_security_ecs_5.md")
+
+  tags = merge(local.foundational_security_ecs_common_tags, {
+    foundational_security_item_id  = "ecs_5"
+    foundational_security_category = "secure_access_management"
+  })
+}
+
+control "foundational_security_ecs_8" {
+  title         = "8 Secrets should not be passed as container environment variables"
+  description   = "This control checks if the key value of any variables in the environment parameter of container definitions includes AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, or ECS_ENGINE_AUTH_DATA. This control fails if a single environment variable in any container definition equals AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, or ECS_ENGINE_AUTH_DATA. This control does not cover environmental variables passed in from other locations such as Amazon S3."
+  severity      = "high"
+  sql           = query.ecs_task_definition_container_environment_no_secret.sql
+  documentation = file("./foundational_security/docs/foundational_security_ecs_8.md")
+
+  tags = merge(local.foundational_security_ecs_common_tags, {
+    foundational_security_item_id  = "ecs_8"
+    foundational_security_category = "credentials_not_hard_coded"
+  })
+}
+
+control "foundational_security_ecs_10" {
+  title         = "10 Fargate services should run on the latest Fargate platform version"
+  description   = "This control checks if Amazon ECS Fargate services are running the latest Fargate platform version. This control fails if the platform version is not the latest."
+  severity      = "medium"
+  sql           = query.ecs_service_fargate_using_latest_platform_version.sql
+  documentation = file("./foundational_security/docs/foundational_security_ecs_10.md")
+
+  tags = merge(local.foundational_security_ecs_common_tags, {
+    foundational_security_item_id  = "ecs_10"
+    foundational_security_category = "vulnerability_patch_and_version_management"
+  })
+}
\ No newline at end of file
diff --git a/foundational_security/efs.sp b/foundational_security/efs.sp
index 85091c19..fac65ace 100644
--- a/foundational_security/efs.sp
+++ b/foundational_security/efs.sp
@@ -9,7 +9,9 @@ benchmark "foundational_security_efs" {
   documentation = file("./foundational_security/docs/foundational_security_efs.md")
   children = [
     control.foundational_security_efs_1,
-    control.foundational_security_efs_2
+    control.foundational_security_efs_2,
+    control.foundational_security_efs_3,
+    control.foundational_security_efs_4
   ]
 
   tags = merge(local.foundational_security_efs_common_tags, {
@@ -41,4 +43,30 @@ control "foundational_security_efs_2" {
     foundational_security_item_id  = "efs_2"
     foundational_security_category = "backup"
   })
+}
+
+control "foundational_security_efs_3" {
+  title         = "3 EFS access points should enforce a root directory"
+  description   = "This control checks if Amazon EFS access points are configured to enforce a root directory. The control fails if the value of Path is set to / (the default root directory of the file system)."
+  severity      = "medium"
+  sql           = query.efs_access_point_enforce_root_directory.sql
+  documentation = file("./foundational_security/docs/foundational_security_efs_3.md")
+
+  tags = merge(local.foundational_security_efs_common_tags, {
+    foundational_security_item_id  = "efs_3"
+    foundational_security_category = "secure_access_management"
+  })
+}
+
+control "foundational_security_efs_4" {
+  title         = "4 EFS access points should enforce a user identity"
+  description   = "This control checks whether Amazon EFS access points are configured to enforce a user identity. This control fails if a POSIX user identity is not defined while creating the EFS access point."
+  severity      = "medium"
+  sql           = query.efs_access_point_enforce_user_identity.sql
+  documentation = file("./foundational_security/docs/foundational_security_efs_4.md")
+
+  tags = merge(local.foundational_security_efs_common_tags, {
+    foundational_security_item_id  = "efs_4"
+    foundational_security_category = "secure_access_management"
+  })
 }
\ No newline at end of file
diff --git a/foundational_security/eks.sp b/foundational_security/eks.sp
new file mode 100644
index 00000000..7b06948e
--- /dev/null
+++ b/foundational_security/eks.sp
@@ -0,0 +1,30 @@
+locals {
+  foundational_security_eks_common_tags = merge(local.foundational_security_common_tags, {
+    service = "AWS/EKS"
+  })
+}
+
+benchmark "foundational_security_eks" {
+  title         = "EKS"
+  documentation = file("./foundational_security/docs/foundational_security_eks.md")
+  children = [
+    control.foundational_security_eks_2
+  ]
+
+  tags = merge(local.foundational_security_eks_common_tags, {
+    type = "Benchmark"
+  })
+}
+
+control "foundational_security_eks_2" {
+  title         = "1 EKS clusters should run on a supported Kubernetes version"
+  description   = "This control checks whether an Amazon EKS cluster is running on a supported Kubernetes version. The control fails if the EKS cluster is running on an unsupported version. If your application doesn't require a specific version of Kubernetes, we recommend that you use the latest available Kubernetes version that's supported by EKS for your clusters."
+  severity      = "high"
+  sql           = query.eks_cluster_with_latest_kubernetes_version.sql
+  documentation = file("./foundational_security/docs/foundational_security_eks_2.md")
+
+  tags = merge(local.foundational_security_efs_common_tags, {
+    foundational_security_item_id  = "eks_2"
+    foundational_security_category = "vulnerability_patch_and_version_management"
+  })
+}
\ No newline at end of file
diff --git a/foundational_security/elb.sp b/foundational_security/elb.sp
index 69728501..beac57f4 100644
--- a/foundational_security/elb.sp
+++ b/foundational_security/elb.sp
@@ -98,3 +98,17 @@ control "foundational_security_elb_10" {
     foundational_security_category = "high_availability"
   })
 }
+
+control "foundational_security_elb_12" {
+  title         = "12 Application Load Balancers should be configured with defensive or strictest desync mitigation mode"
+  description   = "This control checks whether an Application Load Balancer is configured with defensive or strictest desync mitigation mode. The control fails if an Application Load Balancer is not configured with defensive or strictest desync mitigation mode."
+  severity      = "medium"
+  sql           = query.elb_application_lb_desync_mitigation_mode.sql
+  documentation = file("./foundational_security/docs/foundational_security_elb_12.md")
+
+  tags = merge(local.foundational_security_elb_common_tags, {
+    foundational_security_item_id  = "elb_12"
+    foundational_security_category = "data_integrity"
+  })
+}
+
diff --git a/query/autoscaling/autoscaling_launch_config_hop_limit.sql b/query/autoscaling/autoscaling_launch_config_hop_limit.sql
new file mode 100644
index 00000000..dffff1e6
--- /dev/null
+++ b/query/autoscaling/autoscaling_launch_config_hop_limit.sql
@@ -0,0 +1,16 @@
+select
+  -- Required Columns
+  launch_configuration_arn as resource,
+  case
+    when metadata_options_put_response_hop_limit > 1 then 'alarm'
+    else 'ok'
+  end as status,
+  case
+    when metadata_options_put_response_hop_limit > 1 then title || ' metadata response hop limit is greater than 1.'
+    else title || ' metadata response hop limit is not greater than 1.'
+  end as reason,
+  -- Additional Dimensions
+  region,
+  account_id
+from
+  aws_ec2_launch_configuration;
\ No newline at end of file
diff --git a/query/autoscaling/autoscaling_launch_config_requires_imdsv2.sql b/query/autoscaling/autoscaling_launch_config_requires_imdsv2.sql
new file mode 100644
index 00000000..3b98cede
--- /dev/null
+++ b/query/autoscaling/autoscaling_launch_config_requires_imdsv2.sql
@@ -0,0 +1,16 @@
+select
+  -- Required Columns
+  launch_configuration_arn as resource,
+  case
+    when metadata_options_http_tokens = 'required' then 'ok'
+    else 'alarm'
+  end as status,
+  case
+    when metadata_options_http_tokens = 'required' then title || ' configured to use Instance Metadata Service Version 2 (IMDSv2).'
+    else title || ' not configured to use Instance Metadata Service Version 2 (IMDSv2).'
+  end as reason,
+  -- Additional Dimensions
+  region,
+  account_id
+from
+  aws_ec2_launch_configuration;
\ No newline at end of file
diff --git a/query/cloudfront/cloudfront_distribution_no_deprecated_ssl_protocol.sql b/query/cloudfront/cloudfront_distribution_no_deprecated_ssl_protocol.sql
new file mode 100644
index 00000000..0311fa54
--- /dev/null
+++ b/query/cloudfront/cloudfront_distribution_no_deprecated_ssl_protocol.sql
@@ -0,0 +1,27 @@
+with origin_ssl_protocols as (
+  select
+    distinct arn,
+    o -> 'CustomOriginConfig' ->> 'OriginProtocolPolicy' as origin_protocol_policy
+  from
+    aws_cloudfront_distribution,
+    jsonb_array_elements(origins) as o
+  where
+    o -> 'CustomOriginConfig' -> 'OriginSslProtocols' -> 'Items' @> '["SSLv3"]'
+)
+select
+  -- Required Columns
+  b.arn as resource,
+  case
+    when o.arn is null then 'ok'
+    else 'alarm'
+  end as status,
+  case
+    when o.arn is null then title || ' does not have deprecated SSL protocols.'
+    else title || ' have deprecated SSL protocols.'
+  end as reason,
+  -- Additional Dimensions
+  region,
+  account_id
+from
+  aws_cloudfront_distribution as b
+  left join origin_ssl_protocols as o on b.arn = o.arn;
\ No newline at end of file
diff --git a/query/ec2/ec2_instance_no_amazon_key_pair.sql b/query/ec2/ec2_instance_no_amazon_key_pair.sql
new file mode 100644
index 00000000..712ec1d0
--- /dev/null
+++ b/query/ec2/ec2_instance_no_amazon_key_pair.sql
@@ -0,0 +1,18 @@
+select
+  -- Required Columns
+  arn as resource,
+  case
+    when instance_state <> 'running' then 'skip'
+    when key_name is null then 'ok'
+    else 'alarm'
+  end as status,
+  case
+     when instance_state <> 'running' then title || ' is in ' || instance_state || ' state.'
+    when key_name is null then title || ' not launched using amazon key pairs.'
+    else title || ' launched using amazon key pairs.'
+  end as reason,
+  -- Additional Dimensions
+  region,
+  account_id
+from
+  aws_ec2_instance;
diff --git a/query/ec2/ec2_instance_virtualization_type_no_paravirtual.sql b/query/ec2/ec2_instance_virtualization_type_no_paravirtual.sql
new file mode 100644
index 00000000..c5e2381b
--- /dev/null
+++ b/query/ec2/ec2_instance_virtualization_type_no_paravirtual.sql
@@ -0,0 +1,16 @@
+select
+  -- Required Columns
+  arn as resource,
+  case
+    when virtualization_type = 'paravirtual' then 'alarm'
+    else 'ok'
+  end as status,
+  case
+    when virtualization_type = 'paravirtual' then title || ' virtualization type is paravirtual.'
+    else title || ' virtualization type is ' || virtualization_type || '.'
+  end as reason,
+  -- Additional Dimensions
+  region,
+  account_id
+from
+  aws_ec2_instance;
diff --git a/query/ecr/ecr_repository_tag_immutability_enabled.sql b/query/ecr/ecr_repository_tag_immutability_enabled.sql
new file mode 100644
index 00000000..999e9aff
--- /dev/null
+++ b/query/ecr/ecr_repository_tag_immutability_enabled.sql
@@ -0,0 +1,16 @@
+select
+  -- Required Columns
+  arn as resource,
+  case
+    when image_tag_mutability = 'IMMUTABLE' then 'ok'
+    else 'alarm'
+  end as status,
+  case
+    when image_tag_mutability = 'IMMUTABLE' then title || ' tag immutability enabled.'
+    else title || ' tag immutability disabled.'
+  end as reason,
+  -- Additional Dimensions
+  region,
+  account_id
+from
+  aws_ecr_repository;
\ No newline at end of file
diff --git a/query/ecs/ecs_service_fargate_using_latest_platform_version.sql b/query/ecs/ecs_service_fargate_using_latest_platform_version.sql
new file mode 100644
index 00000000..be7a45cc
--- /dev/null
+++ b/query/ecs/ecs_service_fargate_using_latest_platform_version.sql
@@ -0,0 +1,18 @@
+select
+  -- Required Columns
+    arn as resource,
+  case
+    when launch_type <> 'FARGATE' then 'skip'
+    when platform_version = 'LATEST' then 'ok'
+    else 'alarm'
+  end as status,
+  case
+    when launch_type <> 'FARGATE' then title || ' is ' || launch_type || ' service.'
+    when platform_version = 'LATEST' then title || ' running on the latest fargate platform version.'
+    else title || ' not running on the latest fargate platform version.'
+  end as reason,
+  -- Additional Dimensions
+  region,
+  account_id
+from
+  aws_ecs_service;
\ No newline at end of file
diff --git a/query/ecs/ecs_task_definition_container_environment_no_secret.sql b/query/ecs/ecs_task_definition_container_environment_no_secret.sql
new file mode 100644
index 00000000..efd95715
--- /dev/null
+++ b/query/ecs/ecs_task_definition_container_environment_no_secret.sql
@@ -0,0 +1,33 @@
+with definitions_with_secret_environment_variable as (
+  select
+    distinct task_definition_arn as arn
+  from
+    aws_ecs_task_definition,
+    jsonb_array_elements(container_definitions) as c,
+    jsonb_array_elements( c -> 'Environment') as e,
+        jsonb_array_elements(
+    case jsonb_typeof(c -> 'Secrets')
+        when 'array' then (c -> 'Secrets')
+        else null end
+    ) as s
+  where
+    e ->> 'Name' like any (array ['AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY','ECS_ENGINE_AUTH_DATA'])
+    or s ->> 'Name' like any (array ['AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY','ECS_ENGINE_AUTH_DATA'])
+)
+select
+  -- Required Columns
+  d.task_definition_arn as resource,
+  case
+    when e.arn is null then 'ok'
+    else 'alarm'
+  end as status,
+  case
+    when e.arn is null then d.title || ' container environment variables does not have secrets.'
+    else d.title || ' container environment variables have secrets.'
+  end as reason,
+  -- Additional Dimensions
+  region,
+  account_id
+from
+  aws_ecs_task_definition as d
+  left join definitions_with_secret_environment_variable as e on d.task_definition_arn = e.arn;
\ No newline at end of file
diff --git a/query/ecs/ecs_task_definition_container_non_privileged.sql b/query/ecs/ecs_task_definition_container_non_privileged.sql
new file mode 100644
index 00000000..786db587
--- /dev/null
+++ b/query/ecs/ecs_task_definition_container_non_privileged.sql
@@ -0,0 +1,26 @@
+with privileged_container_definition as (
+  select
+    distinct task_definition_arn as arn
+  from
+    aws_ecs_task_definition,
+    jsonb_array_elements(container_definitions) as c
+  where
+    c ->> 'Privileged' = 'true'
+)
+select
+  -- Required Columns
+  d.task_definition_arn as resource,
+  case
+    when c.arn is null then 'ok'
+    else 'alarm'
+  end as status,
+  case
+    when c.arn is null then d.title || ' does not have elevated privileges.'
+    else d.title || ' have elevated privileges.'
+  end as reason,
+  -- Additional Dimensions
+  region,
+  account_id
+from
+  aws_ecs_task_definition as d
+  left join privileged_container_definition as c on d.task_definition_arn = c.arn;
\ No newline at end of file
diff --git a/query/ecs/ecs_task_definition_container_readonly_root_filesystem.sql b/query/ecs/ecs_task_definition_container_readonly_root_filesystem.sql
new file mode 100644
index 00000000..6487bc5b
--- /dev/null
+++ b/query/ecs/ecs_task_definition_container_readonly_root_filesystem.sql
@@ -0,0 +1,26 @@
+with privileged_container_definition as (
+  select
+    distinct task_definition_arn as arn
+  from
+    aws_ecs_task_definition,
+    jsonb_array_elements(container_definitions) as c
+  where
+    c ->> 'ReadonlyRootFilesystem' = 'true'
+)
+select
+  -- Required Columns
+  d.task_definition_arn as resource,
+  case
+    when c.arn is not null then 'ok'
+    else 'alarm'
+  end as status,
+  case
+    when c.arn is not null then d.title || ' containers limited to read-only access to root filesystems.'
+    else d.title || ' containers not limited to read-only access to root filesystems.'
+  end as reason,
+  -- Additional Dimensions
+  region,
+  account_id
+from
+  aws_ecs_task_definition as d
+  left join privileged_container_definition as c on d.task_definition_arn = c.arn;
\ No newline at end of file
diff --git a/query/ecs/ecs_task_definition_no_host_pid_mode.sql b/query/ecs/ecs_task_definition_no_host_pid_mode.sql
new file mode 100644
index 00000000..0b3ab7d7
--- /dev/null
+++ b/query/ecs/ecs_task_definition_no_host_pid_mode.sql
@@ -0,0 +1,16 @@
+select
+  -- Required Columns
+  task_definition_arn as resource,
+  case
+    when pid_mode = 'host' then 'alarm'
+    else 'ok'
+  end as status,
+  case
+    when pid_mode = 'host' then title || ' share the host process namespace.'
+    else title || ' does not share the host process namespace.'
+  end as reason,
+  -- Additional Dimensions
+  region,
+  account_id
+from
+  aws_ecs_task_definition;
\ No newline at end of file
diff --git a/query/efs/efs_access_point_enforce_root_directory.sql b/query/efs/efs_access_point_enforce_root_directory.sql
new file mode 100644
index 00000000..13b61720
--- /dev/null
+++ b/query/efs/efs_access_point_enforce_root_directory.sql
@@ -0,0 +1,16 @@
+select
+  -- Required Columns
+  access_point_arn as resource,
+  case
+    when root_directory ->> 'Path'= '/' then 'alarm'
+    else 'ok'
+  end as status,
+  case
+    when root_directory ->> 'Path'= '/' then title || ' not configured to enforce a root directory.'
+    else title || ' configured to enforce a root directory.'
+  end as reason,
+  -- Additional Dimensions
+  region,
+  account_id
+from
+  aws_efs_access_point;
diff --git a/query/efs/efs_access_point_enforce_user_identity.sql b/query/efs/efs_access_point_enforce_user_identity.sql
new file mode 100644
index 00000000..e2e672d9
--- /dev/null
+++ b/query/efs/efs_access_point_enforce_user_identity.sql
@@ -0,0 +1,16 @@
+select
+  -- Required Columns
+  access_point_arn as resource,
+  case
+    when posix_user is null then 'alarm'
+    else 'ok'
+  end as status,
+  case
+    when posix_user is null then title || ' does not enforce a user identity.'
+    else title || ' enforce a user identity.'
+  end as reason,
+  -- Additional Dimensions
+  region,
+  account_id
+from
+  aws_efs_access_point;
diff --git a/query/eks/eks_cluster_with_latest_kubernetes_version.sql b/query/eks/eks_cluster_with_latest_kubernetes_version.sql
new file mode 100644
index 00000000..8655cbbe
--- /dev/null
+++ b/query/eks/eks_cluster_with_latest_kubernetes_version.sql
@@ -0,0 +1,16 @@
+select
+  -- Required Columns
+  arn as resource,
+  case
+    when version = '1.22' then 'ok'
+    else 'alarm'
+  end as status,
+  case
+    when version = '1.22' then title || ' runs on a lastet kubernetes version.'
+    else title || ' does not run on a lastet kubernetes version.'
+  end as reason,
+  -- Additional Dimensions
+  region,
+  account_id
+from
+  aws_eks_cluster;
\ No newline at end of file
diff --git a/query/elb/elb_application_lb_desync_mitigation_mode.sql b/query/elb/elb_application_lb_desync_mitigation_mode.sql
new file mode 100644
index 00000000..1ec54203
--- /dev/null
+++ b/query/elb/elb_application_lb_desync_mitigation_mode.sql
@@ -0,0 +1,25 @@
+with app_lb_desync_mitigation_mode as (
+  select
+    arn,
+    l ->> 'Key',
+    l ->> 'Value' as v
+  from
+    aws_ec2_application_load_balancer,
+    jsonb_array_elements(load_balancer_attributes) as l
+  where
+    l ->> 'Key' = 'routing.http.desync_mitigation_mode'
+)
+select
+  -- Required Columns
+  a.arn as resource,
+  case
+    when m.v = any ( ARRAY ['defensive', 'strictest'] ) then 'ok'
+    else 'alarm'
+  end as status,
+    title || ' has ' || m.v || ' desync mitigation mode.' as reason,
+  -- Additional Dimensions
+  region,
+  account_id
+from
+  aws_ec2_application_load_balancer as a
+  left join app_lb_desync_mitigation_mode as m on a.arn = m.arn;
\ No newline at end of file

From c38978dbaaa3cbfa49f97e90077d1df7c6b0520c Mon Sep 17 00:00:00 2001
From: Khushboo <khushboo@turbot.com>
Date: Thu, 14 Jul 2022 17:51:42 +0530
Subject: [PATCH 2/4] added new controls

---
 foundational_security/cloudformation.sp       | 30 ++++++++++++++
 .../foundational_security_cloudformation.md   |  3 ++
 .../foundational_security_cloudformation_1.md |  9 ++++
 .../docs/foundational_security_ec2_23.md      |  9 ++++
 .../docs/foundational_security_ecr_1.md       |  9 ++++
 .../docs/foundational_security_elb_13.md      |  9 ++++
 .../docs/foundational_security_elb_14.md      |  9 ++++
 .../docs/foundational_security_kinesis.md     |  3 ++
 .../docs/foundational_security_kinesis_1.md   |  9 ++++
 foundational_security/ec2.sp                  | 14 +++++++
 foundational_security/ecr.sp                  | 15 +++++++
 foundational_security/elb.sp                  | 30 +++++++++++++-
 .../foundational_security.sp                  |  6 ++-
 foundational_security/kinesis.sp              | 30 ++++++++++++++
 ...eway_network_lb_multiple_az_configured.sql | 41 +++++++++++++++++++
 .../elb_classic_lb_desync_mitigation_mode.sql | 25 +++++++++++
 16 files changed, 248 insertions(+), 3 deletions(-)
 create mode 100644 foundational_security/cloudformation.sp
 create mode 100644 foundational_security/docs/foundational_security_cloudformation.md
 create mode 100644 foundational_security/docs/foundational_security_cloudformation_1.md
 create mode 100644 foundational_security/docs/foundational_security_ec2_23.md
 create mode 100644 foundational_security/docs/foundational_security_ecr_1.md
 create mode 100644 foundational_security/docs/foundational_security_elb_13.md
 create mode 100644 foundational_security/docs/foundational_security_elb_14.md
 create mode 100644 foundational_security/docs/foundational_security_kinesis.md
 create mode 100644 foundational_security/docs/foundational_security_kinesis_1.md
 create mode 100644 foundational_security/kinesis.sp
 create mode 100644 query/elb/elb_application_gateway_network_lb_multiple_az_configured.sql
 create mode 100644 query/elb/elb_classic_lb_desync_mitigation_mode.sql

diff --git a/foundational_security/cloudformation.sp b/foundational_security/cloudformation.sp
new file mode 100644
index 00000000..b5107641
--- /dev/null
+++ b/foundational_security/cloudformation.sp
@@ -0,0 +1,30 @@
+locals {
+  foundational_security_cloudformation_common_tags = merge(local.foundational_security_common_tags, {
+    service = "AWS/CloudFormation"
+  })
+}
+
+benchmark "foundational_security_cloudformation" {
+  title         = "CloudFormation"
+  documentation = file("./foundational_security/docs/foundational_security_cloudformation.md")
+  children = [
+    control.foundational_security_cloudformation_1,
+  ]
+
+  tags = merge(local.foundational_security_cloudformation_common_tags, {
+    type = "Benchmark"
+  })
+}
+
+control "foundational_security_cloudformation_1" {
+  title         = "1 CloudFormation stacks should be integrated with Simple Notification Service (SNS)"
+  description   = "This control checks whether an Amazon Simple Notification Service notification is integrated with a CloudFormation stack. The control fails for a CloudFormation stack if there is no SNS notification associated with it."
+  severity      = "critical"
+  sql           = query.cloudformation_stack_notifications_enabled.sql
+  documentation = file("./foundational_security/docs/foundational_security_cloudformation_1.md")
+
+  tags = merge(local.foundational_security_cloudformation_common_tags, {
+    foundational_security_item_id  = "cloudformation_1"
+    foundational_security_category = "application_monitoring"
+  })
+}
\ No newline at end of file
diff --git a/foundational_security/docs/foundational_security_cloudformation.md b/foundational_security/docs/foundational_security_cloudformation.md
new file mode 100644
index 00000000..d74ee4be
--- /dev/null
+++ b/foundational_security/docs/foundational_security_cloudformation.md
@@ -0,0 +1,3 @@
+## Overview
+
+This section contains recommendations for configuring CloudFormation resources and options.
\ No newline at end of file
diff --git a/foundational_security/docs/foundational_security_cloudformation_1.md b/foundational_security/docs/foundational_security_cloudformation_1.md
new file mode 100644
index 00000000..428e07b6
--- /dev/null
+++ b/foundational_security/docs/foundational_security_cloudformation_1.md
@@ -0,0 +1,9 @@
+## Description
+
+This control checks whether an Amazon Simple Notification Service notification is integrated with a CloudFormation stack. The control fails for a CloudFormation stack if there is no SNS notification associated with it.
+
+Configuring an SNS notification with your CloudFormation stack helps immediately notify stakeholders of any events or changes occurring with the stack.
+
+## Remediation
+
+For information about how to update a CloudFormation stack, see [AWS CloudFormation stack updates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks.html) in the AWS CloudFormation User Guide.
\ No newline at end of file
diff --git a/foundational_security/docs/foundational_security_ec2_23.md b/foundational_security/docs/foundational_security_ec2_23.md
new file mode 100644
index 00000000..bb78975b
--- /dev/null
+++ b/foundational_security/docs/foundational_security_ec2_23.md
@@ -0,0 +1,9 @@
+## Description
+
+This control checks if EC2 Transit Gateways are automatically accepting shared VPC attachments. This control fails for a Transit Gateway that automatically accepts shared VPC attachment requests.
+
+Turning on AutoAcceptSharedAttachments configures a Transit Gateway to automatically accept any cross-account VPC attachment requests without verifying the request or the account the attachment is originating from. To follow the best practices of authorization and authentication, we recommended turning off this feature to ensure that only authorized VPC attachment requests are accepted.
+
+## Remediation
+
+For information about how to modify a Transit Gateway, see [Modify a transit gateway](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-transit-gateways.html#tgw-modifying) in the Amazon VPC Developer Guide.
\ No newline at end of file
diff --git a/foundational_security/docs/foundational_security_ecr_1.md b/foundational_security/docs/foundational_security_ecr_1.md
new file mode 100644
index 00000000..bbac5964
--- /dev/null
+++ b/foundational_security/docs/foundational_security_ecr_1.md
@@ -0,0 +1,9 @@
+## Description
+
+This control checks whether a private ECR repository has image scanning configured. This control fails if a private ECR repository doesn't have image scanning configured.
+
+ECR image scanning helps in identifying software vulnerabilities in your container images. ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project  and provides a list of scan findings. Enabling image scanning on ECR repositories adds a layer of verification for the integrity and safety of the images being stored.
+
+## Remediation
+
+To configure image scanning for an ECR repository, see [Image scanning](https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html) in the Amazon Elastic Container Registry User Guide.
diff --git a/foundational_security/docs/foundational_security_elb_13.md b/foundational_security/docs/foundational_security_elb_13.md
new file mode 100644
index 00000000..e33af658
--- /dev/null
+++ b/foundational_security/docs/foundational_security_elb_13.md
@@ -0,0 +1,9 @@
+## Description
+
+This control checks whether an Elastic Load Balancer V2 (Application, Network, or Gateway Load Balancer) has registered instances from multiple Availability Zones. The control fails if an Elastic Load Balancer V2 has instances registered in fewer than two Availability Zones.
+
+Elastic Load Balancing automatically distributes your incoming traffic across multiple targets, such as EC2 instances, containers, and IP addresses, in one or more Availability Zones. Elastic Load Balancing scales your load balancer as your incoming traffic changes over time. It is recommended to configure at least two availability zones to ensure availability of services, as the Elastic Load Balancer will be able to direct traffic to another availability zone if one becomes unavailable. Having multiple availability zones configured will help eliminate having a single point of failure for the application.
+
+## Remediation
+
+To add an Availability Zone to an Application Load Balancer, see [Availability Zones for your Application Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-subnets.html) in the User Guide for Application Load Balancers. To add an Availability Zone to an Network Load Balancer, see [Network Load Balancer ](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/network-load-balancers.html#availability-zones) s in the User Guide for Network Load Balancers. To add an Availability Zone to a Gateway Load Balancer, see [Create a Gateway Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/gateway/create-load-balancer.html) in the User Guide for Gateway Load Balancers.
\ No newline at end of file
diff --git a/foundational_security/docs/foundational_security_elb_14.md b/foundational_security/docs/foundational_security_elb_14.md
new file mode 100644
index 00000000..b8731151
--- /dev/null
+++ b/foundational_security/docs/foundational_security_elb_14.md
@@ -0,0 +1,9 @@
+## Description
+
+This control checks whether a Classic Load Balancer is configured with defensive or strictest desync mitigation mode. This control will fail if the Classic Load Balancer is not configured with defensive or strictest desync mitigation mode.
+
+HTTP Desync issues can lead to request smuggling and make applications vulnerable to request queue or cache poisoning. In turn, these vulnerabilities can lead to credential hijacking or execution of unauthorized commands. Classic Load Balancers configured with defensive or strictest desync mitigation mode protect your application from security issues that may be caused by HTTP Desync.
+
+## Remediation
+
+To update desync mitigation mode of a Classic Load Balancer, see [Modify desync mitigation mode](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-desync-mitigation-mode.html#update-desync-mitigation-mode) in the User Guide for Classic Load Balancers.
\ No newline at end of file
diff --git a/foundational_security/docs/foundational_security_kinesis.md b/foundational_security/docs/foundational_security_kinesis.md
new file mode 100644
index 00000000..34e9378d
--- /dev/null
+++ b/foundational_security/docs/foundational_security_kinesis.md
@@ -0,0 +1,3 @@
+## Overview
+
+This section contains recommendations for configuring AWS Kinesis resources and options.
\ No newline at end of file
diff --git a/foundational_security/docs/foundational_security_kinesis_1.md b/foundational_security/docs/foundational_security_kinesis_1.md
new file mode 100644
index 00000000..28b61c1d
--- /dev/null
+++ b/foundational_security/docs/foundational_security_kinesis_1.md
@@ -0,0 +1,9 @@
+## Description
+
+This control checks if Kinesis Data Streams are encrypted at rest with server-side encryption. This control fails if a Kinesis stream is not encrypted at rest with server-side encryption.
+
+Server-side encryption is a feature in Amazon Kinesis Data Streams that automatically encrypts data before it's at rest by using an AWS KMS key. Data is encrypted before it's written to the Kinesis stream storage layer, and decrypted after it’s retrieved from storage. As a result, your data is encrypted at rest within the Amazon Kinesis Data Streams service.
+
+## Remediation
+
+For information about enabling server-side encryption for Kinesis streams, see [How Do I Get Started with Server-Side Encryption?](https://docs.aws.amazon.com/streams/latest/dev/getting-started-with-sse.html) in the Amazon Kinesis Developer Guide.
\ No newline at end of file
diff --git a/foundational_security/ec2.sp b/foundational_security/ec2.sp
index b58e3196..04bfcde1 100644
--- a/foundational_security/ec2.sp
+++ b/foundational_security/ec2.sp
@@ -24,6 +24,7 @@ benchmark "foundational_security_ec2" {
     control.foundational_security_ec2_19,
     control.foundational_security_ec2_21,
     control.foundational_security_ec2_22,
+    control.foundational_security_ec2_23,
     control.foundational_security_ec2_24
   ]
 
@@ -240,6 +241,19 @@ control "foundational_security_ec2_22" {
   })
 }
 
+control "foundational_security_ec2_23" {
+  title         = "23 EC2 Transit Gateways should not automatically accept VPC attachment requests"
+  description   = "This control checks if EC2 Transit Gateways are automatically accepting shared VPC attachments. This control fails for a Transit Gateway that automatically accepts shared VPC attachment requests."
+  severity      = "high"
+  sql           = query.ec2_transit_gateway_auto_cross_account_attachment_disabled.sql
+  documentation = file("./foundational_security/docs/foundational_security_ec2_23.md")
+
+  tags = merge(local.foundational_security_ec2_common_tags, {
+    foundational_security_item_id  = "ec2_23"
+    foundational_security_category = "secure_network_configuration"
+  })
+}
+
 control "foundational_security_ec2_24" {
   title         = "24 Paravirtual EC2 instance types should not be used"
   description   = "This control checks whether the virtualization type of an EC2 instance is paravirtual. The control fails if the virtualizationType of the EC2 instance is set to paravirtual."
diff --git a/foundational_security/ecr.sp b/foundational_security/ecr.sp
index 931ddf4d..2cffb8fa 100644
--- a/foundational_security/ecr.sp
+++ b/foundational_security/ecr.sp
@@ -8,6 +8,7 @@ benchmark "foundational_security_ecr" {
   title         = "Elastic Container Registry"
   documentation = file("./foundational_security/docs/foundational_security_ecr.md")
   children = [
+    control.foundational_security_ecr_1,
     control.foundational_security_ecr_2,
     control.foundational_security_ecr_3
   ]
@@ -17,6 +18,19 @@ benchmark "foundational_security_ecr" {
   })
 }
 
+control "foundational_security_ecr_1" {
+  title         = "1 ECR private repositories should have image scanning configured"
+  description   = "This control checks whether a private ECR repository has image scanning configured. This control fails if a private ECR repository doesn't have image scanning configured."
+  severity      = "high"
+  sql           = query.ecr_repository_image_scan_on_push_enabled.sql
+  documentation = file("./foundational_security/docs/foundational_security_ecr_1.md")
+
+  tags = merge(local.foundational_security_ecr_common_tags, {
+    foundational_security_item_id  = "ecr_1"
+    foundational_security_category = "vulnerability_patch_and_version_management"
+  })
+}
+
 control "foundational_security_ecr_2" {
   title         = "2 ECR private repositories should have tag immutability configured"
   description   = "This control checks whether a private ECR repository has tag immutability enabled. This control fails if a private ECR repository has tag immutability disabled. This rule passes if tag immutability is enabled and has the value IMMUTABLE."
@@ -42,3 +56,4 @@ control "foundational_security_ecr_3" {
     foundational_security_category = "resource_configuration"
   })
 }
+
diff --git a/foundational_security/elb.sp b/foundational_security/elb.sp
index beac57f4..e50eeed0 100644
--- a/foundational_security/elb.sp
+++ b/foundational_security/elb.sp
@@ -13,7 +13,10 @@ benchmark "foundational_security_elb" {
     control.foundational_security_elb_5,
     control.foundational_security_elb_6,
     control.foundational_security_elb_7,
-    control.foundational_security_elb_10
+    control.foundational_security_elb_10,
+    control.foundational_security_elb_12,
+    control.foundational_security_elb_13,
+    control.foundational_security_elb_14
   ]
 
   tags = merge(local.foundational_security_elb_common_tags, {
@@ -112,3 +115,28 @@ control "foundational_security_elb_12" {
   })
 }
 
+control "foundational_security_elb_13" {
+  title         = "13 Application, Network, and Gateway Load Balancers should span multiple Availability Zones"
+  description   = "This control checks whether an Elastic Load Balancer V2 (Application, Network, or Gateway Load Balancer) has registered instances from multiple Availability Zones. The control fails if an Elastic Load Balancer V2 has instances registered in fewer than two Availability Zones."
+  severity      = "medium"
+  sql           = query.elb_application_gateway_network_lb_multiple_az_configured.sql
+  documentation = file("./foundational_security/docs/foundational_security_elb_13.md")
+
+  tags = merge(local.foundational_security_elb_common_tags, {
+    foundational_security_item_id  = "elb_13"
+    foundational_security_category = "high_availability"
+  })
+}
+
+control "foundational_security_elb_14" {
+  title         = "14 Classic Load Balancers should be configured with defensive or strictest desync mitigation mode"
+  description   = "This control checks whether a Classic Load Balancer is configured with defensive or strictest desync mitigation mode. This control will fail if the Classic Load Balancer is not configured with defensive or strictest desync mitigation mode."
+  severity      = "medium"
+  sql           = query.elb_classic_lb_desync_mitigation_mode.sql
+  documentation = file("./foundational_security/docs/foundational_security_elb_14.md")
+
+  tags = merge(local.foundational_security_elb_common_tags, {
+    foundational_security_item_id  = "elb_14"
+    foundational_security_category = "data_integrity"
+  })
+}
diff --git a/foundational_security/foundational_security.sp b/foundational_security/foundational_security.sp
index ac8a04fc..31f36046 100644
--- a/foundational_security/foundational_security.sp
+++ b/foundational_security/foundational_security.sp
@@ -12,6 +12,7 @@ benchmark "foundational_security" {
     benchmark.foundational_security_acm,
     benchmark.foundational_security_apigateway,
     benchmark.foundational_security_autoscaling,
+    benchmark.foundational_security_cloudformation,
     benchmark.foundational_security_cloudfront,
     benchmark.foundational_security_cloudtrail,
     benchmark.foundational_security_codebuild,
@@ -29,6 +30,7 @@ benchmark "foundational_security" {
     benchmark.foundational_security_es,
     benchmark.foundational_security_guardduty,
     benchmark.foundational_security_iam,
+    benchmark.foundational_security_kinesis,
     benchmark.foundational_security_kms,
     benchmark.foundational_security_lambda,
     benchmark.foundational_security_networkfirewall,
@@ -38,8 +40,8 @@ benchmark "foundational_security" {
     benchmark.foundational_security_sagemaker,
     benchmark.foundational_security_secretsmanager,
     benchmark.foundational_security_sns,
-    benchmark.foundational_security_ssm,
-    benchmark.foundational_security_sqs
+    benchmark.foundational_security_sqs,
+    benchmark.foundational_security_ssm
   ]
 
   tags = merge(local.foundational_security_common_tags, {
diff --git a/foundational_security/kinesis.sp b/foundational_security/kinesis.sp
new file mode 100644
index 00000000..05a0230d
--- /dev/null
+++ b/foundational_security/kinesis.sp
@@ -0,0 +1,30 @@
+locals {
+  foundational_security_kinesis_common_tags = merge(local.foundational_security_common_tags, {
+    service = "AWS/Kinesis"
+  })
+}
+
+benchmark "foundational_security_kinesis" {
+  title         = "Kinesis"
+  documentation = file("./foundational_security/docs/foundational_security_kinesis.md")
+  children = [
+    control.foundational_security_kinesis_1
+  ]
+
+  tags = merge(local.foundational_security_kinesis_common_tags, {
+    type = "Benchmark"
+  })
+}
+
+control "foundational_security_kinesis_1" {
+  title         = "1 Kinesis Data Streams should be encrypted at rest"
+  description   = "This control checks if Kinesis Data Streams are encrypted at rest with server-side encryption. This control fails if a Kinesis stream is not encrypted at rest with server-side encryption."
+  severity      = "medium"
+  sql           = query.kinesis_stream_server_side_encryption_enabled.sql
+  documentation = file("./foundational_security/docs/foundational_security_kinesis_1.md")
+
+  tags = merge(local.foundational_security_kinesis_common_tags, {
+    foundational_security_item_id  = "kinesis_1"
+    foundational_security_category = "encryption_of_data_at_rest"
+  })
+}
\ No newline at end of file
diff --git a/query/elb/elb_application_gateway_network_lb_multiple_az_configured.sql b/query/elb/elb_application_gateway_network_lb_multiple_az_configured.sql
new file mode 100644
index 00000000..06b9a1a8
--- /dev/null
+++ b/query/elb/elb_application_gateway_network_lb_multiple_az_configured.sql
@@ -0,0 +1,41 @@
+select
+  -- Required Columns
+  arn as resource,
+  case
+    when jsonb_array_length(availability_zones) < 2 then 'alarm'
+    else 'ok'
+  end as status,
+  title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' as reason,
+  -- Additional Dimensions
+  region,
+  account_id
+from
+  aws_ec2_application_load_balancer
+union
+select
+  -- Required Columns
+  arn as resource,
+  case
+    when jsonb_array_length(availability_zones) < 2 then 'alarm'
+    else 'ok'
+  end as status,
+  title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' as reason,
+  -- Additional Dimensions
+  region,
+  account_id
+from
+  aws_ec2_network_load_balancer
+union
+select
+  -- Required Columns
+  arn as resource,
+  case
+    when jsonb_array_length(availability_zones) < 2 then 'alarm'
+    else 'ok'
+  end as status,
+  title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' as reason,
+  -- Additional Dimensions
+  region,
+  account_id
+from
+  aws_ec2_gateway_load_balancer;
diff --git a/query/elb/elb_classic_lb_desync_mitigation_mode.sql b/query/elb/elb_classic_lb_desync_mitigation_mode.sql
new file mode 100644
index 00000000..31e2276f
--- /dev/null
+++ b/query/elb/elb_classic_lb_desync_mitigation_mode.sql
@@ -0,0 +1,25 @@
+with app_lb_desync_mitigation_mode as (
+  select
+    arn,
+    a ->> 'Key',
+    a ->> 'Value' as v
+  from
+    aws_ec2_classic_load_balancer,
+    jsonb_array_elements(additional_attributes) as a
+  where
+    a ->> 'Key' = 'elb.http.desyncmitigationmode'
+)
+select
+  -- Required Columns
+  c.arn as resource,
+  case
+    when m.v = any ( ARRAY ['defensive', 'strictest'] ) then 'ok'
+    else 'alarm'
+  end as status,
+    title || ' has ' || m.v || ' desync mitigation mode.' as reason,
+  -- Additional Dimensions
+  region,
+  account_id
+from
+  aws_ec2_classic_load_balancer as c
+  left join app_lb_desync_mitigation_mode as m on c.arn = m.arn;
\ No newline at end of file

From d7cd40475aab6492517fd8c424efa27782bb8e03 Mon Sep 17 00:00:00 2001
From: Khushboo <khushboo@turbot.com>
Date: Thu, 14 Jul 2022 18:21:14 +0530
Subject: [PATCH 3/4] update

---
 foundational_security/autoscaling.sp           | 2 +-
 foundational_security/cloudformation.sp        | 4 ++--
 foundational_security/ecs.sp                   | 3 ++-
 foundational_security/eks.sp                   | 4 ++--
 foundational_security/foundational_security.sp | 1 +
 5 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/foundational_security/autoscaling.sp b/foundational_security/autoscaling.sp
index 6d99d03d..c8bcda0d 100644
--- a/foundational_security/autoscaling.sp
+++ b/foundational_security/autoscaling.sp
@@ -63,7 +63,7 @@ control "foundational_security_autoscaling_4" {
   title         = "4 Auto Scaling group launch configuration should not have metadata response hop limit greater than 1"
   description   = "This control checks the number of network hops that a metadata token can travel. The control fails if the metadata response hop limit is greater than 1."
   severity      = "high"
-  sql           = query.autoscaling_launch_config_requires_imdsv2.sql
+  sql           = query.autoscaling_launch_config_hop_limit.sql
   documentation = file("./foundational_security/docs/foundational_security_autoscaling_4.md")
 
   tags = merge(local.foundational_security_autoscaling_common_tags, {
diff --git a/foundational_security/cloudformation.sp b/foundational_security/cloudformation.sp
index b5107641..c4a059ea 100644
--- a/foundational_security/cloudformation.sp
+++ b/foundational_security/cloudformation.sp
@@ -8,7 +8,7 @@ benchmark "foundational_security_cloudformation" {
   title         = "CloudFormation"
   documentation = file("./foundational_security/docs/foundational_security_cloudformation.md")
   children = [
-    control.foundational_security_cloudformation_1,
+    control.foundational_security_cloudformation_1
   ]
 
   tags = merge(local.foundational_security_cloudformation_common_tags, {
@@ -19,7 +19,7 @@ benchmark "foundational_security_cloudformation" {
 control "foundational_security_cloudformation_1" {
   title         = "1 CloudFormation stacks should be integrated with Simple Notification Service (SNS)"
   description   = "This control checks whether an Amazon Simple Notification Service notification is integrated with a CloudFormation stack. The control fails for a CloudFormation stack if there is no SNS notification associated with it."
-  severity      = "critical"
+  severity      = "low"
   sql           = query.cloudformation_stack_notifications_enabled.sql
   documentation = file("./foundational_security/docs/foundational_security_cloudformation_1.md")
 
diff --git a/foundational_security/ecs.sp b/foundational_security/ecs.sp
index c51f3005..e397cfb7 100644
--- a/foundational_security/ecs.sp
+++ b/foundational_security/ecs.sp
@@ -13,7 +13,8 @@ benchmark "foundational_security_ecs" {
     control.foundational_security_ecs_3,
     control.foundational_security_ecs_4,
     control.foundational_security_ecs_5,
-    control.foundational_security_ecs_8
+    control.foundational_security_ecs_8,
+    control.foundational_security_ecs_10
   ]
 
   tags = merge(local.foundational_security_ecs_common_tags, {
diff --git a/foundational_security/eks.sp b/foundational_security/eks.sp
index 7b06948e..016c7da3 100644
--- a/foundational_security/eks.sp
+++ b/foundational_security/eks.sp
@@ -17,13 +17,13 @@ benchmark "foundational_security_eks" {
 }
 
 control "foundational_security_eks_2" {
-  title         = "1 EKS clusters should run on a supported Kubernetes version"
+  title         = "2 EKS clusters should run on a supported Kubernetes version"
   description   = "This control checks whether an Amazon EKS cluster is running on a supported Kubernetes version. The control fails if the EKS cluster is running on an unsupported version. If your application doesn't require a specific version of Kubernetes, we recommend that you use the latest available Kubernetes version that's supported by EKS for your clusters."
   severity      = "high"
   sql           = query.eks_cluster_with_latest_kubernetes_version.sql
   documentation = file("./foundational_security/docs/foundational_security_eks_2.md")
 
-  tags = merge(local.foundational_security_efs_common_tags, {
+  tags = merge(local.foundational_security_eks_common_tags, {
     foundational_security_item_id  = "eks_2"
     foundational_security_category = "vulnerability_patch_and_version_management"
   })
diff --git a/foundational_security/foundational_security.sp b/foundational_security/foundational_security.sp
index 31f36046..d9d02365 100644
--- a/foundational_security/foundational_security.sp
+++ b/foundational_security/foundational_security.sp
@@ -23,6 +23,7 @@ benchmark "foundational_security" {
     benchmark.foundational_security_ecr,
     benchmark.foundational_security_ecs,
     benchmark.foundational_security_efs,
+    benchmark.foundational_security_eks,
     benchmark.foundational_security_elasticbeanstalk,
     benchmark.foundational_security_elb,
     benchmark.foundational_security_elbv2,

From cd115da8665abd8587ed6308037c007daeb3e001 Mon Sep 17 00:00:00 2001
From: Khushboo <khushboo@turbot.com>
Date: Tue, 19 Jul 2022 14:53:17 +0530
Subject: [PATCH 4/4] update

---
 foundational_security/docs/foundational_security_ecs_5.md    | 2 +-
 query/autoscaling/autoscaling_launch_config_hop_limit.sql    | 5 +----
 .../cloudfront_distribution_no_deprecated_ssl_protocol.sql   | 2 +-
 query/ec2/ec2_instance_no_amazon_key_pair.sql                | 2 +-
 .../ec2/ec2_instance_virtualization_type_no_paravirtual.sql  | 5 +----
 query/ecs/ecs_task_definition_container_non_privileged.sql   | 2 +-
 query/ecs/ecs_task_definition_no_host_pid_mode.sql           | 2 +-
 query/efs/efs_access_point_enforce_user_identity.sql         | 2 +-
 query/eks/eks_cluster_with_latest_kubernetes_version.sql     | 4 ++--
 .../s3/s3_bucket_versioning_and_lifecycle_policy_enabled.sql | 2 +-
 10 files changed, 11 insertions(+), 17 deletions(-)

diff --git a/foundational_security/docs/foundational_security_ecs_5.md b/foundational_security/docs/foundational_security_ecs_5.md
index 63b726b5..4d09dec7 100644
--- a/foundational_security/docs/foundational_security_ecs_5.md
+++ b/foundational_security/docs/foundational_security_ecs_5.md
@@ -10,7 +10,7 @@ Enabling this option reduces security attack vectors since the container instanc
 
 1. Open the [Amazon ECS console](https://console.aws.amazon.com/ecs/).
 2. In the left navigation pane, choose `Task Definitions`.
-3.For each task definition that has container definitions that need to be updated, do the following:
+3. For each task definition that has container definitions that need to be updated, do the following:
     - Select the container definition that needs to be updated.
     - Choose `Edit Container`. For `Storage and Logging`, select `Read only root file system`.
     - Choose `Update` at the bottom of the `Edit Container` tab.
diff --git a/query/autoscaling/autoscaling_launch_config_hop_limit.sql b/query/autoscaling/autoscaling_launch_config_hop_limit.sql
index dffff1e6..cd736ee2 100644
--- a/query/autoscaling/autoscaling_launch_config_hop_limit.sql
+++ b/query/autoscaling/autoscaling_launch_config_hop_limit.sql
@@ -5,10 +5,7 @@ select
     when metadata_options_put_response_hop_limit > 1 then 'alarm'
     else 'ok'
   end as status,
-  case
-    when metadata_options_put_response_hop_limit > 1 then title || ' metadata response hop limit is greater than 1.'
-    else title || ' metadata response hop limit is not greater than 1.'
-  end as reason,
+  title || ' has a metadata response hop limit of ' || metadata_options_put_response_hop_limit || '.' as reason,
   -- Additional Dimensions
   region,
   account_id
diff --git a/query/cloudfront/cloudfront_distribution_no_deprecated_ssl_protocol.sql b/query/cloudfront/cloudfront_distribution_no_deprecated_ssl_protocol.sql
index 0311fa54..b7d1d094 100644
--- a/query/cloudfront/cloudfront_distribution_no_deprecated_ssl_protocol.sql
+++ b/query/cloudfront/cloudfront_distribution_no_deprecated_ssl_protocol.sql
@@ -17,7 +17,7 @@ select
   end as status,
   case
     when o.arn is null then title || ' does not have deprecated SSL protocols.'
-    else title || ' have deprecated SSL protocols.'
+    else title || ' has deprecated SSL protocols.'
   end as reason,
   -- Additional Dimensions
   region,
diff --git a/query/ec2/ec2_instance_no_amazon_key_pair.sql b/query/ec2/ec2_instance_no_amazon_key_pair.sql
index 712ec1d0..4c6fa666 100644
--- a/query/ec2/ec2_instance_no_amazon_key_pair.sql
+++ b/query/ec2/ec2_instance_no_amazon_key_pair.sql
@@ -7,7 +7,7 @@ select
     else 'alarm'
   end as status,
   case
-     when instance_state <> 'running' then title || ' is in ' || instance_state || ' state.'
+    when instance_state <> 'running' then title || ' is in ' || instance_state || ' state.'
     when key_name is null then title || ' not launched using amazon key pairs.'
     else title || ' launched using amazon key pairs.'
   end as reason,
diff --git a/query/ec2/ec2_instance_virtualization_type_no_paravirtual.sql b/query/ec2/ec2_instance_virtualization_type_no_paravirtual.sql
index c5e2381b..b97dbc08 100644
--- a/query/ec2/ec2_instance_virtualization_type_no_paravirtual.sql
+++ b/query/ec2/ec2_instance_virtualization_type_no_paravirtual.sql
@@ -5,10 +5,7 @@ select
     when virtualization_type = 'paravirtual' then 'alarm'
     else 'ok'
   end as status,
-  case
-    when virtualization_type = 'paravirtual' then title || ' virtualization type is paravirtual.'
-    else title || ' virtualization type is ' || virtualization_type || '.'
-  end as reason,
+  title || ' virtualization type is ' || virtualization_type || '.' as reason,
   -- Additional Dimensions
   region,
   account_id
diff --git a/query/ecs/ecs_task_definition_container_non_privileged.sql b/query/ecs/ecs_task_definition_container_non_privileged.sql
index 786db587..3fc41b34 100644
--- a/query/ecs/ecs_task_definition_container_non_privileged.sql
+++ b/query/ecs/ecs_task_definition_container_non_privileged.sql
@@ -16,7 +16,7 @@ select
   end as status,
   case
     when c.arn is null then d.title || ' does not have elevated privileges.'
-    else d.title || ' have elevated privileges.'
+    else d.title || ' has elevated privileges.'
   end as reason,
   -- Additional Dimensions
   region,
diff --git a/query/ecs/ecs_task_definition_no_host_pid_mode.sql b/query/ecs/ecs_task_definition_no_host_pid_mode.sql
index 0b3ab7d7..283b516c 100644
--- a/query/ecs/ecs_task_definition_no_host_pid_mode.sql
+++ b/query/ecs/ecs_task_definition_no_host_pid_mode.sql
@@ -6,7 +6,7 @@ select
     else 'ok'
   end as status,
   case
-    when pid_mode = 'host' then title || ' share the host process namespace.'
+    when pid_mode = 'host' then title || ' shares the host process namespace.'
     else title || ' does not share the host process namespace.'
   end as reason,
   -- Additional Dimensions
diff --git a/query/efs/efs_access_point_enforce_user_identity.sql b/query/efs/efs_access_point_enforce_user_identity.sql
index e2e672d9..11804fd7 100644
--- a/query/efs/efs_access_point_enforce_user_identity.sql
+++ b/query/efs/efs_access_point_enforce_user_identity.sql
@@ -7,7 +7,7 @@ select
   end as status,
   case
     when posix_user is null then title || ' does not enforce a user identity.'
-    else title || ' enforce a user identity.'
+    else title || ' enforces a user identity.'
   end as reason,
   -- Additional Dimensions
   region,
diff --git a/query/eks/eks_cluster_with_latest_kubernetes_version.sql b/query/eks/eks_cluster_with_latest_kubernetes_version.sql
index 8655cbbe..556a2b54 100644
--- a/query/eks/eks_cluster_with_latest_kubernetes_version.sql
+++ b/query/eks/eks_cluster_with_latest_kubernetes_version.sql
@@ -6,8 +6,8 @@ select
     else 'alarm'
   end as status,
   case
-    when version = '1.22' then title || ' runs on a lastet kubernetes version.'
-    else title || ' does not run on a lastet kubernetes version.'
+    when version = '1.22' then title || ' runs on a latest kubernetes version.'
+    else title || ' does not run on a latest kubernetes version.'
   end as reason,
   -- Additional Dimensions
   region,
diff --git a/query/s3/s3_bucket_versioning_and_lifecycle_policy_enabled.sql b/query/s3/s3_bucket_versioning_and_lifecycle_policy_enabled.sql
index 42d70385..a9667b21 100644
--- a/query/s3/s3_bucket_versioning_and_lifecycle_policy_enabled.sql
+++ b/query/s3/s3_bucket_versioning_and_lifecycle_policy_enabled.sql
@@ -17,7 +17,7 @@ select
   end status,
   case
     when not versioning_enabled then name || ' versioning diabled.'
-    when versioning_enabled and r.arn is not null then ' lifecycle policy configured'
+    when versioning_enabled and r.arn is not null then ' lifecycle policy configured.'
     else name || '  lifecycle policy not configured.'
   end reason,
   -- Additional Dimensions