Add FSBP controls

cisa_cyber_essentials/your_data.sp

@@ -19,7 +19,7 @@ benchmark "cisa_cyber_essentials_your_data_1" {
     control.apigateway_stage_cache_encryption_at_rest_enabled,
     control.backup_recovery_point_encryption_enabled,
     control.cloudtrail_trail_logs_encrypted_with_kms_cmk,
-    control.dynamodb_table_encrypted_with_kms_cmk,
+    control.dynamodb_table_encrypted_with_kms,
     control.ebs_attached_volume_encryption_enabled,
     control.ec2_ebs_default_encryption_enabled,
     control.efs_file_system_encrypted_with_cmk,
@@ -55,7 +55,7 @@ benchmark "cisa_cyber_essentials_your_data_2" {
     control.cloudtrail_trail_integrated_with_logs,
     control.cloudtrail_trail_logs_encrypted_with_kms_cmk,
     control.dms_replication_instance_not_publicly_accessible,
-    control.dynamodb_table_encrypted_with_kms_cmk,
+    control.dynamodb_table_encrypted_with_kms,
     control.ebs_attached_volume_encryption_enabled,
     control.ebs_snapshot_not_publicly_restorable,
     control.ec2_ebs_default_encryption_enabled,

cisa_cyber_essentials/your_systems.sp

@@ -58,7 +58,7 @@ benchmark "cisa_cyber_essentials_your_systems_3" {
     control.codebuild_project_source_repo_oauth_configured,
     control.dms_replication_instance_not_publicly_accessible,
     control.dynamodb_table_auto_scaling_enabled,
-    control.dynamodb_table_encrypted_with_kms_cmk,
+    control.dynamodb_table_encrypted_with_kms,
     control.dynamodb_table_in_backup_plan,
     control.dynamodb_table_point_in_time_recovery_enabled,
     control.dynamodb_table_protected_by_backup_plan,

foundational_security/docs/foundational_security_networkfirewall_3.md

@@ -0,0 +1,14 @@
+## Description
+
+This control checks whether a Network Firewall policy has any stateful or stateless rule groups associated. The control fails if stateless or stateful rule groups are not assigned.
+
+A firewall policy defines how your firewall monitors and handles traffic in Amazon Virtual Private Cloud (Amazon VPC). Configuration of stateless and stateful rule groups helps to filter packets and traffic flows, and defines default traffic handling
+
+## Remediation
+
+**To update firewall policy and add a rule group through console:**
+
+1. Sign in to the AWS Management Console and open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
+2. In the navigation pane, under Network Firewall, choose Firewall policies.
+3. In the Firewall policies page, select the name of the firewall policy you want to update.
+4. In the firewall policy's page, you can change the rule groups.

foundational_security/docs/foundational_security_networkfirewall_4.md

@@ -0,0 +1,14 @@
+## Description
+
+This control checks whether the default stateless action for full packets for a Network Firewall policy is drop or forward. The control passes if Drop or Forward is selected, and fails if Pass is selected.
+
+A firewall policy defines how your firewall monitors and handles traffic in Amazon VPC. You configure stateless and stateful rule groups to filter packets and traffic flows. Defaulting to Pass can allow unintended traffic.
+
+## Remediation
+
+**To update firewall policy and update actions through console:**
+
+1. Sign in to the AWS Management Console and open the [Amazon VPC console](https://console.aws.amazon.com/vpc/).
+2. In the navigation pane, under Network Firewall, choose Firewall policies.
+3. Select the name of the firewall policy that you want to edit. This takes you to the firewall policy’s details page.
+4. In Stateless Default Actions, choose Edit. Then choose Drop or Forward to stateful rule groups as the Default actions for full packets.

foundational_security/docs/foundational_security_networkfirewall_5.md

@@ -0,0 +1,14 @@
+## Description
+
+This control checks whether the default stateless action for fragmented packets for a Network Firewall policy is drop or forward. The control passes if Drop or Forward is selected, and fails if Pass is selected.
+
+A firewall policy defines how your firewall monitors and handles traffic in Amazon VPC. You configure stateless and stateful rule groups to filter packets and traffic flows. Defaulting to Pass can allow unintended traffic.
+
+## Remediation
+
+**To update firewall policy and update actions through console:**
+
+1. Sign in to the AWS Management Console and open the [Amazon VPC console](https://console.aws.amazon.com/vpc/).
+2. In the navigation pane, under Network Firewall, choose Firewall policies.
+3. Select the name of the firewall policy that you want to edit. This takes you to the firewall policy’s details page.
+4. In Stateless Default Actions, choose Edit. Then choose Drop or Forward to stateful rule groups as the Default actions for fragmented packets.

foundational_security/docs/foundational_security_opensearch.md

@@ -0,0 +1,3 @@
+## Overview
+
+This section contains recommendations for configuring OpenSearch resources and options.

foundational_security/docs/foundational_security_opensearch_7.md

@@ -0,0 +1,20 @@
+## Description
+
+This control checks whether OpenSearch domains have fine-grained access control enabled. The control fails if the fine-grained access control is not enabled. Fine-grained access control requires advanced-security-optionsin the OpenSearch parameter update-domain-config to be enabled.
+
+Fine-grained access control offers additional ways of controlling access to your data on Amazon OpenSearch Service.
+
+## Remediation
+
+To enable fine-grained access control on an existing domain 
+
+1. Select your domain and choose Actions and Edit security configuration.
+2. Select Enable fine-grained access control.
+3. Choose how to create the master user:
+  - If you want to use IAM for user management, choose Set IAM ARN as master user and specify the ARN for an IAM role.
+  - If you want to use the internal user database, choose Create master user and specify a user name and password.
+4. (Optional) Select Enable migration period for open/IP-based access policy. This setting enables a 30-day transition period during which your existing users can continue to access the domain without disruptions, and existing open and IP-based access policies will continue to work with your domain. During this migration period, we recommend that administrators create the necessary roles and map them to users for the domain. If you use identity-based policies instead of an open or IP-based access policy, you can disable this setting.
+You also need to update your clients to work with fine-grained access control during the migration period. For example, if you map IAM users with fine-grained access control, you must update your clients to start signing requests with AWS Signature Version 4. If you configure HTTP basic authentication with fine-grained access control, you must update your clients to provide appropriate basic authentication credentials in requests.
+During the migration period, users who access the OpenSearch Dashboards endpoint for the domain will land directly on the Discover page rather than the login page. Administrators and master users can choose Login to log in with admin credentials and configure role mappings.
+5. Choose Save changes.
+

foundational_security/docs/foundational_security_redshift_9.md

@@ -0,0 +1,9 @@
+## Description
+
+This control checks whether an Amazon Redshift cluster has changed the database name from its default value. The control will fail if the database name for a Redshift cluster is set to dev.
+
+When creating a Redshift cluster, you should change the default database name to a unique value. Default names are public knowledge and should be changed upon configuration. As an example, a well-known name could lead to inadvertent access if it was used in IAM policy conditions.
+
+## Remediation
+
+You cannot change the database name for your Amazon Redshift cluster after it is created. To create a new cluster, follow the instructions [here](https://docs.aws.amazon.com/redshift/latest/gsg/getting-started.html).

foundational_security/docs/foundational_security_sns_2.md

@@ -0,0 +1,26 @@
+## Description
+
+This control checks whether logging is enabled for the delivery status of notification messages sent to an Amazon SNS topic for the endpoints. This control fails if the delivery status notification for messages is not enabled.
+
+Logging is an important part of maintaining the reliability, availability, and performance of services. Logging message delivery status helps provide operational insights, such as the following:
+  - Knowing whether a message was delivered to the Amazon SNS endpoint.
+  - Identifying the response sent from the Amazon SNS endpoint to Amazon SNS.
+  - Determining the message dwell time (the time between the publish timestamp and the hand off to an Amazon SNS endpoint).
+
+## Remediation
+
+To remediate this issue, configuring your SNS topic delivery status logging.
+
+**To encrypt an unencrypted SNS topic**
+
+1. Open the [Amazon SNS console](https://console.aws.amazon.com/sns/v3/home).
+2. In the navigation pane, choose `Topics`.
+3. On the Topics page, choose a topic and then choose Edit.
+4. On the Edit MyTopic page, expand the Delivery status logging section.
+5. Choose the protocol for which you want to log delivery status; for example AWS Lambda.
+6. Enter the Success sample rate (the percentage of successful messages for which you want to receive CloudWatch Logs.
+7. In the IAM roles section, do one of the following:
+  - To choose an existing service role from your account, choose Use existing service role and then specify IAM roles for successful and failed deliveries.
+  - To create a new service role in your account, choose Create new service role, choose Create new roles to define the IAM roles for successful and failed deliveries in the IAM console.
+  - To give Amazon SNS write access to use CloudWatch Logs on your behalf, choose Allow.
+8. Choose Save changes.

foundational_security/docs/foundational_security_waf.md

@@ -0,0 +1,3 @@
+## Overview
+
+This section contains recommendations for configuring AWS WAF resources and options.

foundational_security/docs/foundational_security_waf_6.md

@@ -0,0 +1,42 @@
+## Description
+
+This control checks whether an AWS WAF global rule contains any conditions. The control fails if no conditions are present within a rule.
+
+A WAF global rule can contain multiple conditions. A rule’s conditions allow for traffic inspection and take a defined action (allow, block, or count). Without any conditions, the traffic passes without inspection. A WAF global rule with no conditions, but with a name or tag suggesting allow, block, or count, could lead to the wrong assumption that one of those actions is occurring.
+
+## Remediation
+
+To remediate this issue, update your WAF rule to add a condition.
+
+**To encrypt an unencrypted SNS topic**
+
+1. Open the [Amazon WAF console](https://console.aws.amazon.com/wafv2/).
+2. In the navigation pane, choose `Rules`.
+3. Choose the name of the rule to update.
+4. Choose `Edit`.
+5. To add a condition to the rule, specify the following values:
+
+  **When a request does/does not**
+
+    If you want AWS WAF Classic to allow or block requests based on the filters in a condition, choose does. For example, if an IP match condition includes the IP address range 192.0.2.0/24 and you want AWS WAF Classic to allow or block requests that come from those IP addresses, choose does.
+    If you want AWS WAF Classic to allow or block requests based on the inverse of the filters in a condition, choose does not. For example, if an IP match condition includes the IP address range 192.0.2.0/24 and you want AWS WAF Classic to allow or block requests that do not come from those IP addresses, choose does not.
+
+  **match/originate from**
+
+    Choose the type of condition that you want to add to the rule:
+    - Cross-site scripting match conditions – choose **match at least one of the filters in the cross-site scripting match condition**
+    - IP match conditions – choose **originate from an IP address in**
+    - Geo match conditions – choose **originate from a geographic location in**
+    - Size constraint conditions – choose **match at least one of the filters in the size constraint condition**
+    - SQL injection match conditions – choose **match at least one of the filters in the SQL injection match condition**
+    - String match conditions – choose **match at least one of the filters in the string match condition**
+    - Regular expression **match conditions – choose match at least one of the filters in the regex match condition**
+
+  **condition name**
+
+    Choose the condition that you want to add to the rule. The list displays only conditions of the type that you chose in the preceding step.
+
+6. To add another condition to the rule, choose **Add another condition**, and repeat steps 4 and 5. Note the following:
+  - If you add more than one condition, a web request must match at least one filter in every condition for AWS WAF Classic to allow or block requests based on that rule
+  - If you add two IP match conditions to the same rule, AWS WAF Classic will only allow or block requests that originate from IP addresses that appear in both IP match conditions
+7. When you're finished adding conditions, choose **Create**.

foundational_security/docs/foundational_security_waf_7.md

@@ -0,0 +1,22 @@
+## Description
+
+This control checks whether an AWS WAF global rule group has at least one rule. The control fails if no rules are present within a rule group.
+
+A WAF global rule group can contain multiple rules. The rule's conditions allow for traffic inspection and take a defined action (allow, block, or count). Without any rules, the traffic passes without inspection. A WAF global rule group with no rules, but with a name or tag suggesting allow, block, or count, could lead to the wrong assumption that one of those actions is occurring.
+
+## Remediation
+
+To remediate this issue, update your WAF rule group to add atleast one rule.
+
+**To encrypt an unencrypted SNS topic**
+
+1. Open the [Amazon WAF console](https://console.aws.amazon.com/wafv2/).
+2. In the navigation pane, choose `Rule groups`.
+3. Choose the name of the rule group to update.
+4. Choose `Edit`.
+5. If you have already created the rules that you want to add to the rule group, choose Use existing rules for this rule group . If you want to create new rules to add to the rule group, choose **Create rules and conditions for this rule group**.
+6. Choose Next.
+7. If you chose to create rules, follow the steps to create them at [Creating a rule and adding conditions](https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-rules-creating.html).
+   When you've created all the rules you need, go to the next step.
+8. To add a rule to the rule group, select a rule then choose Add rule. Choose whether to allow, block, or count requests that match the rule's conditions. For more information on the choices, see [How AWS WAF Classic works](https://docs.aws.amazon.com/waf/latest/developerguide/classic-how-aws-waf-works.html).
+9. When you're finished adding conditions, choose **Save**.

foundational_security/docs/foundational_security_waf_8.md

@@ -0,0 +1,20 @@
+## Description
+
+This control checks whether an AWS WAF global web ACL contains at least one WAF rule or WAF rule group. The control fails if a web ACL does not contain any WAF rules or rule groups.
+
+A WAF global web ACL can contain a collection of rules and rule groups that inspect and control web requests. If a web ACL is empty, the web traffic can pass without being detected or acted upon by WAF depending on the default action.
+
+## Remediation
+
+To remediate this issue, update your WAF web ACL to add atleast one rule or rule group.
+
+**To add rules or rule groups to an empty web ACL**
+
+1. Open the [AWS WAF console](https://console.aws.amazon.com/wafv2/).
+2. In the navigation pane, choose **Switch to AWS WAF Classic**, and then choose `Web ACLs`.
+3. For Filter, choose Global (CloudFront).
+4. Choose the name of the empty web ACL.
+5. Choose Rules, and then choose Edit web ACL.
+6. For Rules, choose a rule or rule group, and then choose Add rule to web ACL.
+7. At this point, you can modify the rule order within the web ACL if you are adding multiple rules or rule groups to the web ACL.
+8. Choose **Update**.

foundational_security/foundational_security.sp

@@ -35,14 +35,16 @@ benchmark "foundational_security" {
     benchmark.foundational_security_kms,
     benchmark.foundational_security_lambda,
     benchmark.foundational_security_networkfirewall,
+    benchmark.foundational_security_opensearch,
     benchmark.foundational_security_rds,
     benchmark.foundational_security_redshift,
     benchmark.foundational_security_s3,
     benchmark.foundational_security_sagemaker,
     benchmark.foundational_security_secretsmanager,
     benchmark.foundational_security_sns,
     benchmark.foundational_security_sqs,
-    benchmark.foundational_security_ssm
+    benchmark.foundational_security_ssm,
+    benchmark.foundational_security_waf
   ]
 
   tags = merge(local.foundational_security_common_tags, {

foundational_security/networkfirewall.sp

@@ -8,6 +8,9 @@ benchmark "foundational_security_networkfirewall" {
   title         = "Network Firewall"
   documentation = file("./foundational_security/docs/foundational_security_networkfirewall.md")
   children = [
+    control.foundational_security_networkfirewall_3,
+    control.foundational_security_networkfirewall_4,
+    control.foundational_security_networkfirewall_5,
     control.foundational_security_networkfirewall_6
   ]
 
@@ -16,6 +19,45 @@ benchmark "foundational_security_networkfirewall" {
   })
 }
 
+control "foundational_security_networkfirewall_3" {
+  title         = "3 Network Firewall policies should have at least one rule group associated"
+  description   = "This control checks whether a Network Firewall policy has any stateful or stateless rule groups associated. The control fails if stateless or stateful rule groups are not assigned."
+  severity      = "medium"
+  sql           = query.networkfirewall_firewall_policy_rule_group_not_empty.sql
+  documentation = file("./foundational_security/docs/foundational_security_networkfirewall_3.md")
+
+  tags = merge(local.foundational_security_networkfirewall_common_tags, {
+    foundational_security_item_id  = "networkfirewall_3"
+    foundational_security_category = "secure_network_configuration"
+  })
+}
+
+control "foundational_security_networkfirewall_4" {
+  title         = "4 The default stateless action for Network Firewall policies should be drop or forward for full packets"
+  description   = "A firewall policy defines how your firewall monitors and handles traffic in Amazon VPC. You configure stateless and stateful rule groups to filter packets and traffic flows. Defaulting to Pass can allow unintended traffic."
+  severity      = "medium"
+  sql           = query.networkfirewall_firewall_policy_default_stateless_action_check_full_packets.sql
+  documentation = file("./foundational_security/docs/foundational_security_networkfirewall_4.md")
+
+  tags = merge(local.foundational_security_networkfirewall_common_tags, {
+    foundational_security_item_id  = "networkfirewall_4"
+    foundational_security_category = "secure_network_configuration"
+  })
+}
+
+control "foundational_security_networkfirewall_5" {
+  title         = "5 The default stateless action for Network Firewall policies should be drop or forward for fragmented packets"
+  description   = "This control checks whether the default stateless action for fragmented packets for a Network Firewall policy is drop or forward. The control passes if Drop or Forward is selected, and fails if Pass is selected."
+  severity      = "medium"
+  sql           = query.networkfirewall_firewall_policy_default_stateless_action_check_fragmented_packets.sql
+  documentation = file("./foundational_security/docs/foundational_security_networkfirewall_5.md")
+
+  tags = merge(local.foundational_security_networkfirewall_common_tags, {
+    foundational_security_item_id  = "networkfirewall_5"
+    foundational_security_category = "secure_network_configuration"
+  })
+}
+
 control "foundational_security_networkfirewall_6" {
   title         = "6 Stateless network firewall rule group should not be empty"
   description   = "A rule group contains rules that define how your firewall processes traffic in your VPC. An empty stateless rule group when present in a firewall policy might give the impression that the rule group will process traffic. However, when the stateless rule group is empty, it does not process traffic."