turbot · misraved · Jul 19, 2022 · Jul 13, 2022 · Jul 14, 2022 · Jul 14, 2022
diff --git a/foundational_security/autoscaling.sp b/foundational_security/autoscaling.sp
@@ -10,6 +10,8 @@ benchmark "foundational_security_autoscaling" {
   children = [
     control.foundational_security_autoscaling_1,
     control.foundational_security_autoscaling_2,
+    control.foundational_security_autoscaling_3,
+    control.foundational_security_autoscaling_4,
     control.foundational_security_autoscaling_5
   ]
 
@@ -44,6 +46,32 @@ control "foundational_security_autoscaling_2" {
   })
 }
 
+control "foundational_security_autoscaling_3" {
+  title         = "3 Auto Scaling group should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)"
+  description   = "This control checks whether IMDSv2 is enabled on all instances launched by Amazon EC2 Auto Scaling groups. The control fails if the Instance Metadata Service (IMDS) version is not included in the launch configuration or if both IMDSv1 and IMDSv2 are enabled."
+  severity      = "high"
+  sql           = query.autoscaling_launch_config_requires_imdsv2.sql
+  documentation = file("./foundational_security/docs/foundational_security_autoscaling_3.md")
+
+  tags = merge(local.foundational_security_autoscaling_common_tags, {
+    foundational_security_item_id  = "autoscaling_3"
+    foundational_security_category = "secure_network_configuration"
+  })
+}
+
+control "foundational_security_autoscaling_4" {
+  title         = "4 Auto Scaling group launch configuration should not have metadata response hop limit greater than 1"
+  description   = "This control checks the number of network hops that a metadata token can travel. The control fails if the metadata response hop limit is greater than 1."
+  severity      = "high"
+  sql           = query.autoscaling_launch_config_hop_limit.sql
+  documentation = file("./foundational_security/docs/foundational_security_autoscaling_4.md")
+
+  tags = merge(local.foundational_security_autoscaling_common_tags, {
+    foundational_security_item_id  = "autoscaling_4"
+    foundational_security_category = "secure_network_configuration"
+  })
+}
+
 control "foundational_security_autoscaling_5" {
   title         = "5 Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses"
   description   = "This control checks whether an Auto Scaling groups associated launch configuration assigns a public IP address to the group’s instances."

diff --git a/foundational_security/cloudformation.sp b/foundational_security/cloudformation.sp
@@ -0,0 +1,30 @@
+locals {
+  foundational_security_cloudformation_common_tags = merge(local.foundational_security_common_tags, {
+    service = "AWS/CloudFormation"
+  })
+}
+
+benchmark "foundational_security_cloudformation" {
+  title         = "CloudFormation"
+  documentation = file("./foundational_security/docs/foundational_security_cloudformation.md")
+  children = [
+    control.foundational_security_cloudformation_1
+  ]
+
+  tags = merge(local.foundational_security_cloudformation_common_tags, {
+    type = "Benchmark"
+  })
+}
+
+control "foundational_security_cloudformation_1" {
+  title         = "1 CloudFormation stacks should be integrated with Simple Notification Service (SNS)"
+  description   = "This control checks whether an Amazon Simple Notification Service notification is integrated with a CloudFormation stack. The control fails for a CloudFormation stack if there is no SNS notification associated with it."
+  severity      = "low"
+  sql           = query.cloudformation_stack_notifications_enabled.sql
+  documentation = file("./foundational_security/docs/foundational_security_cloudformation_1.md")
+
+  tags = merge(local.foundational_security_cloudformation_common_tags, {
+    foundational_security_item_id  = "cloudformation_1"
+    foundational_security_category = "application_monitoring"
+  })
+}
diff --git a/foundational_security/cloudfront.sp b/foundational_security/cloudfront.sp
@@ -16,7 +16,8 @@ benchmark "foundational_security_cloudfront" {
     control.foundational_security_cloudfront_6,
     control.foundational_security_cloudfront_7,
     control.foundational_security_cloudfront_8,
-    control.foundational_security_cloudfront_9
+    control.foundational_security_cloudfront_9,
+    control.foundational_security_cloudfront_10
   ]
 
   tags = merge(local.foundational_security_cloudfront_common_tags, {
@@ -140,3 +141,16 @@ control "foundational_security_cloudfront_9" {
     foundational_security_category = "encryption_of_data_in_transit"
   })
 }
+
+control "foundational_security_cloudfront_10" {
+  title         = "10 CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins"
+  description   = "This control checks if Amazon CloudFront distributions are using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and your custom origins. This control fails if a CloudFront distribution has a CustomOriginConfig where OriginSslProtocols includes SSLv3."
+  severity      = "medium"
+  sql           = query.cloudfront_distribution_no_deprecated_ssl_protocol.sql
+  documentation = file("./foundational_security/docs/foundational_security_cloudfront_10.md")
+
+  tags = merge(local.foundational_security_cloudfront_common_tags, {
+    foundational_security_item_id  = "cloudfront_10"
+    foundational_security_category = "encryption_of_data_in_transit"
+  })
+}
diff --git a/foundational_security/docs/foundational_security_autoscaling_3.md b/foundational_security/docs/foundational_security_autoscaling_3.md
@@ -0,0 +1,11 @@
+## Description
+
+This control checks whether IMDSv2 is enabled on all instances launched by Amazon EC2 Auto Scaling groups. The control fails if the Instance Metadata Service (IMDS) version is not included in the launch configuration or if both IMDSv1 and IMDSv2 are enabled.
+
+IMDS provides data about your instance that you can use to configure or manage the running instance.
+
+Version 2 of the IMDS adds new protections that weren't available in IMDSv1 to further safeguard your EC2 instances.
+
+## Remediation
+
+An Auto Scaling group is associated with one launch configuration at a time. You cannot modify a launch configuration after you create it. To change the launch configuration for an Auto Scaling group, use an existing launch configuration as the basis for a new launch configuration with IMDSv2 enabled. For more information, see [Configure instance metadata options for new instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-options.html#configuring-IMDS-new-instances) in the Amazon EC2 User Guide for Linux Instances.
diff --git a/foundational_security/docs/foundational_security_autoscaling_4.md b/foundational_security/docs/foundational_security_autoscaling_4.md
@@ -0,0 +1,11 @@
+## Description
+
+This control checks the number of network hops that a metadata token can travel. The control fails if the metadata response hop limit is greater than 1.
+
+The Instance Metadata Service (IMDS) provides metadata information about an Amazon EC2 instance and is useful for application configuration. Restricting the HTTP PUT response for the metadata service to only the EC2 instance protects the IMDS from unauthorized use.
+
+The Time To Live (TTL) field in the IP packet is reduced by one on every hop. This reduction can be used to ensure that the packet does not travel outside EC2. IMDSv2 protects EC2 instances that may have been misconfigured as open routers, layer 3 firewalls, VPNs, tunnels, or NAT devices, which prevents unauthorized users from retrieving metadata. With IMDSv2, the PUT response that contains the secret token cannot travel outside the instance because the default metadata response hop limit is set to 1. However, if this value is greater than 1, the token can leave the EC2 instance.
+
+## Remediation
+
+For detailed instructions on how to modify the metadata response hop limit for an existing launch configuration, see [Modify instance metadata options for existing instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-options.html#configuring-IMDS-existing-instances) in the Amazon EC2 User Guide for Linux Instances.
diff --git a/foundational_security/docs/foundational_security_cloudformation.md b/foundational_security/docs/foundational_security_cloudformation.md
@@ -0,0 +1,3 @@
+## Overview
+
+This section contains recommendations for configuring CloudFormation resources and options.
diff --git a/foundational_security/docs/foundational_security_cloudformation_1.md b/foundational_security/docs/foundational_security_cloudformation_1.md
@@ -0,0 +1,9 @@
+## Description
+
+This control checks whether an Amazon Simple Notification Service notification is integrated with a CloudFormation stack. The control fails for a CloudFormation stack if there is no SNS notification associated with it.
+
+Configuring an SNS notification with your CloudFormation stack helps immediately notify stakeholders of any events or changes occurring with the stack.
+
+## Remediation
+
+For information about how to update a CloudFormation stack, see [AWS CloudFormation stack updates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks.html) in the AWS CloudFormation User Guide.
diff --git a/foundational_security/docs/foundational_security_cloudfront_10.md b/foundational_security/docs/foundational_security_cloudfront_10.md
@@ -0,0 +1,9 @@
+## Description
+
+This control checks if Amazon CloudFront distributions are using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and your custom origins. This control fails if a CloudFront distribution has a CustomOriginConfig where OriginSslProtocols includes SSLv3.
+
+In 2015, the Internet Engineering Task Force (IETF) officially announced that SSL 3.0 should be deprecated due to the protocol being insufficiently secure. It is recommended that you use TLSv1.2 or later for HTTPS communication to your custom origins.
+
+## Remediation
+
+To update the Origin SSL Protocols for your CloudFront distributions, see [Requiring HTTPS for communication between CloudFront and your custom origin](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html) in the Amazon CloudFront Developer Guide.
diff --git a/foundational_security/docs/foundational_security_ec2_23.md b/foundational_security/docs/foundational_security_ec2_23.md
@@ -0,0 +1,9 @@
+## Description
+
+This control checks if EC2 Transit Gateways are automatically accepting shared VPC attachments. This control fails for a Transit Gateway that automatically accepts shared VPC attachment requests.
+
+Turning on AutoAcceptSharedAttachments configures a Transit Gateway to automatically accept any cross-account VPC attachment requests without verifying the request or the account the attachment is originating from. To follow the best practices of authorization and authentication, we recommended turning off this feature to ensure that only authorized VPC attachment requests are accepted.
+
+## Remediation
+
+For information about how to modify a Transit Gateway, see [Modify a transit gateway](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-transit-gateways.html#tgw-modifying) in the Amazon VPC Developer Guide.
diff --git a/foundational_security/docs/foundational_security_ec2_24.md b/foundational_security/docs/foundational_security_ec2_24.md
@@ -0,0 +1,11 @@
+## Description
+
+This control checks whether the virtualization type of an EC2 instance is paravirtual. The control fails if the virtualizationType of the EC2 instance is set to paravirtual.
+
+Linux Amazon Machine Images (AMIs) use one of two types of virtualization: paravirtual (PV) or hardware virtual machine (HVM). The main differences between PV and HVM AMIs are the way in which they boot and whether they can take advantage of special hardware extensions (CPU, network, and storage) for better performance.
+
+Historically, PV guests had better performance than HVM guests in many cases, but because of enhancements in HVM virtualization and the availability of PV drivers for HVM AMIs, this is no longer true. For more information, see Linux AMI virtualization types in the Amazon EC2 User Guide for Linux Instances.
+
+## Remediation
+
+For information about how to update an EC2 instance to a new instance type, see [Change the instance type](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-resize.html) in the Amazon EC2 User Guide for Linux Instances.
diff --git a/foundational_security/docs/foundational_security_ec2_27.md b/foundational_security/docs/foundational_security_ec2_27.md
@@ -0,0 +1,9 @@
+## Description
+
+This control checks whether running EC2 instances are using key pairs. The control fails if a running EC2 instance uses a key pair.
+
+As best practice, we recommend that you reduce the number of credentials in use whenever possible to minimize the risk of compromised credentials and unintended access. EC2 instances without key pairs can still be accessed using AWS Systems Manager Session Manager or browser-based SSH connection via the AWS console. You can also access EC2 instances with a password, but we do not recommend this because it involves credentials similar to key pairs.
+
+## Remediation
+
+To delete a key pair, see [Delete your public key on Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/delete-key-pair.html) in the Amazon EC2 User Guide for Linux Instances.
diff --git a/foundational_security/docs/foundational_security_ecr_1.md b/foundational_security/docs/foundational_security_ecr_1.md
@@ -0,0 +1,9 @@
+## Description
+
+This control checks whether a private ECR repository has image scanning configured. This control fails if a private ECR repository doesn't have image scanning configured.
+
+ECR image scanning helps in identifying software vulnerabilities in your container images. ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project  and provides a list of scan findings. Enabling image scanning on ECR repositories adds a layer of verification for the integrity and safety of the images being stored.
+
+## Remediation
+
+To configure image scanning for an ECR repository, see [Image scanning](https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html) in the Amazon Elastic Container Registry User Guide.
diff --git a/foundational_security/docs/foundational_security_ecr_2.md b/foundational_security/docs/foundational_security_ecr_2.md
@@ -0,0 +1,9 @@
+## Description
+
+This control checks whether a private ECR repository has tag immutability enabled. This control fails if a private ECR repository has tag immutability disabled. This rule passes if tag immutability is enabled and has the value IMMUTABLE.
+
+Amazon ECR Tag Immutability enables customers to rely on the descriptive tags of an image as a reliable mechanism to track and uniquely identify images. An immutable tag is static, which means each tag refers to a unique image. This improves reliability and scalability as the use of a static tag will always result in the same image being deployed. When configured, tag immutability prevents the tags from being overridden, which reduces the attack surface.
+
+## Remediation
+
+To configure image scanning for an ECR repository, see [Image scanning](https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html) in the Amazon Elastic Container Registry User Guide.
diff --git a/foundational_security/docs/foundational_security_ecs_10.md b/foundational_security/docs/foundational_security_ecs_10.md
@@ -0,0 +1,9 @@
+## Description
+
+This control checks if Amazon ECS Fargate services are running the latest Fargate platform version. This control fails if the platform version is not the latest.
+
+AWS Fargate platform versions refer to a specific runtime environment for Fargate task infrastructure, which is a combination of kernel and container runtime versions. New platform versions are released as the runtime environment evolves. For example, a new version may be released for kernel or operating system updates, new features, bug fixes, or security updates. Security updates and patches are deployed automatically for your Fargate tasks. If a security issue is found that affects a platform version, AWS patches the platform version.
+
+## Remediation
+
+To update an existing service, including its platform version, see [Updating a service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/update-service.html) in the Amazon Elastic Container Service Developer Guide.
diff --git a/foundational_security/docs/foundational_security_ecs_3.md b/foundational_security/docs/foundational_security_ecs_3.md
@@ -0,0 +1,9 @@
+## Description
+
+This control checks if Amazon ECS task definitions are configured to share a host’s process namespace with its containers. The control fails if the task definition shares the host's process namespace with the containers running on it.
+
+A process ID (PID) namespace provides separation between processes. It prevents system processes from being visible, and allows PIDs to be reused, including PID 1. If the host’s PID namespace is shared with containers, it would allow containers to see all of the processes on the host system. This reduces the benefit of process level isolation between the host and the containers. These circumstances could lead to unauthorized access to processes on the host itself, including the ability to manipulate and terminate them. Customers shouldn’t share the host’s process namespace with containers running on it.
+
+## Remediation
+
+To configure the pidMode on a task definition, see [Task definition parameters](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_definition_pidmode) in the Amazon Elastic Container Service Developer Guide.
diff --git a/foundational_security/docs/foundational_security_ecs_4.md b/foundational_security/docs/foundational_security_ecs_4.md
@@ -0,0 +1,9 @@
+## Description
+
+This control checks if the privileged parameter in the container definition of Amazon ECS Task Definitions is set to true. The control fails if this parameter is equal to true.
+
+We recommend that you remove elevated privileges from your ECS task definitions. When the privilege parameter is true, the container is given elevated privileges on the host container instance (similar to the root user).
+
+## Remediation
+
+To configure the privileged parameter on a task definition, see [Advanced container definition parameters](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#container_definition_security) in the Amazon Elastic Container Service Developer Guide.
diff --git a/foundational_security/docs/foundational_security_ecs_5.md b/foundational_security/docs/foundational_security_ecs_5.md
@@ -0,0 +1,17 @@
+## Description
+
+This control checks if ECS containers are limited to read-only access to mounted root filesystems. This control fails if the ReadonlyRootFilesystem parameter in the container definition of ECS task definitions is set to false.
+
+Enabling this option reduces security attack vectors since the container instance’s filesystem cannot be tampered with or written to unless it has explicit read-write permissions on its filesystem folder and directories. This control also adheres to the principle of least privilege.
+
+## Remediation
+
+**To limit container definitions to read-only access to root filesystems**
+
+1. Open the [Amazon ECS console](https://console.aws.amazon.com/ecs/).
+2. In the left navigation pane, choose `Task Definitions`.
+3. For each task definition that has container definitions that need to be updated, do the following:
+    - Select the container definition that needs to be updated.
+    - Choose `Edit Container`. For `Storage and Logging`, select `Read only root file system`.
+    - Choose `Update` at the bottom of the `Edit Container` tab.
+    - Choose `Create`.
diff --git a/foundational_security/docs/foundational_security_ecs_8.md b/foundational_security/docs/foundational_security_ecs_8.md
@@ -0,0 +1,9 @@
+## Description
+
+This control checks if the key value of any variables in the environment parameter of container definitions includes AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, or ECS_ENGINE_AUTH_DATA. This control fails if a single environment variable in any container definition equals AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, or ECS_ENGINE_AUTH_DATA. This control does not cover environmental variables passed in from other locations such as Amazon S3.
+
+AWS Systems Manager Parameter Store can help you improve the security posture of your organization. We recommend using the Parameter Store to store secrets and credentials instead of directing passing them into your container instances or hard coding them into your code.
+
+## Remediation
+
+To create parameters using SSM, see [Creating Systems Manager parameters](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-su-create.html)in the AWS Systems Manager User Guide. For more information about creating a task definition that specifies a secret, see [Specifying sensitive data using Secrets Manager](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data-secrets.html#secrets-create-taskdefinition) in the Amazon Elastic Container Service Developer Guide.