Add cis_v120 benchmark #535
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cis_v120/section_1.sp
Outdated
| tags = merge(local.cis_v120_1_common_tags, { | ||
| cis_item_id = "1.15" | ||
| cis_level = "1" | ||
| cis_type = "not scored" |
There was a problem hiding this comment.
Suggested change
| cis_type = "not scored" | |
| cis_type = "not_scored" |
Please change this in all applicable places.
| tags = merge(local.cis_v120_4_common_tags, { | ||
| cis_item_id = "4.4" | ||
| cis_level = "2" | ||
| cis_type = "scored" |
There was a problem hiding this comment.
Suggested change
| cis_type = "scored" | |
| cis_type = "not_scored" |
cis_v120/section_3.sp
Outdated
| title = "3.4 Ensure a log metric filter and alarm exist for IAM policy changes" | ||
| description = "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies." | ||
| sql = query.log_metric_filter_iam_policy.sql | ||
| documentation = file("./cis_v120/docs/cis_v120_3_3.md") |
There was a problem hiding this comment.
Suggested change
| documentation = file("./cis_v120/docs/cis_v120_3_3.md") | |
| documentation = file("./cis_v120/docs/cis_v120_3_4.md") |
cis_v120/section_3.sp
Outdated
| title = "3.14 Ensure a log metric filter and alarm exist for VPC changes" | ||
| description = "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs." | ||
| sql = query.log_metric_filter_vpc.sql | ||
| documentation = file("./cis_v120/docs/cis_v120_3_13.md") |
There was a problem hiding this comment.
Suggested change
| documentation = file("./cis_v120/docs/cis_v120_3_13.md") | |
| documentation = file("./cis_v120/docs/cis_v120_3_14.md") |
cis_v120/section_1.sp
Outdated
| control "cis_v120_1_17" { | ||
| title = "1.17 Maintain current contact details" | ||
| description = "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization. An AWS account supports a number of contact details, and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy or indicative of likely security compromise is observed by the AWS Abuse team. Contact details should not be for a single individual, as circumstances may arise where that individual is unavailable. Email contact details should point to a mail alias which forwards email to multiple individuals within the organization; where feasible, phone contact details should point to a PABX hunt group or other call-forwarding system." | ||
| sql = query.manual_control.sql |
There was a problem hiding this comment.
We can try to build a query using the aws_account_contact table.
cis_v120/docs/cis_v120_1_11.md
Outdated
Comment on lines
6
to
10
|
|
||
| - Passwords can be stolen or compromised sometimes without your knowledge. This can happen via a system compromise, software vulnerability, or internal threat. | ||
| - Certain corporate and government web filters or proxy servers have the ability to intercept and record traffic even if it's encrypted. | ||
| - Many people use the same password for many systems such as work, email, and personal. | ||
| - Compromised end user workstations might have a keystroke logger. |
There was a problem hiding this comment.
Suggested change
| - Passwords can be stolen or compromised sometimes without your knowledge. This can happen via a system compromise, software vulnerability, or internal threat. | |
| - Certain corporate and government web filters or proxy servers have the ability to intercept and record traffic even if it's encrypted. | |
| - Many people use the same password for many systems such as work, email, and personal. | |
| - Compromised end user workstations might have a keystroke logger. | |
| - Passwords can be stolen or compromised sometimes without your knowledge. This can happen via a system compromise, software vulnerability, or internal threat. | |
| - Certain corporate and government web filters or proxy servers have the ability to intercept and record traffic even if it's encrypted. | |
| - Many people use the same password for many systems such as work, email, and personal. | |
| - Compromised end user workstations might have a keystroke logger. |
Comment on lines
+20
to
+21
| - Click on `Make Inactive` - (Temporarily disable Key - may be needed again). | ||
| - Click `Delete` - (Deleted keys cannot be recovered). |
There was a problem hiding this comment.
Suggested change
| - Click on `Make Inactive` - (Temporarily disable Key - may be needed again). | |
| - Click `Delete` - (Deleted keys cannot be recovered). | |
| - Click on `Make Inactive` - (Temporarily disable Key - may be needed again). | |
| - Click `Delete` - (Deleted keys cannot be recovered). |
cis_v120/section_2.sp
Outdated
| control "cis_v120_2_1" { | ||
| title = "2.1 Ensure CloudTrail is enabled in all regions" | ||
| description = "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation)." | ||
| sql = query.cloudtrail_multi_region_read_write_enabled.sql |
There was a problem hiding this comment.
Suggested change
| sql = query.cloudtrail_multi_region_read_write_enabled.sql | |
| query = query.cloudtrail_multi_region_read_write_enabled |
Please make changes to all places wherever applicable.
khushboo9024
approved these changes
Jan 19, 2023
misraved
reviewed
Jan 19, 2023
cis_v120/docs/cis_v120_2_1.md
Outdated
Comment on lines
21
to
25
| - Click `Add new trail`. | ||
| - Enter a trail name in the `Trail name` box. | ||
| - Set the `Apply trail to all regions` option to `Yes`. | ||
| - Specify an S3 bucket name in the `S3 bucket` box. | ||
| - Click `Create`. |
There was a problem hiding this comment.
Suggested change
| - Click `Add new trail`. | |
| - Enter a trail name in the `Trail name` box. | |
| - Set the `Apply trail to all regions` option to `Yes`. | |
| - Specify an S3 bucket name in the `S3 bucket` box. | |
| - Click `Create`. | |
| - Click `Add new trail`. | |
| - Enter a trail name in the `Trail name` box. | |
| - Set the `Apply trail to all regions` option to `Yes`. | |
| - Specify an S3 bucket name in the `S3 bucket` box. | |
| - Click `Create`. |
There was a problem hiding this comment.
Please update all such instances across the documents 👍 .
cis_v120/docs/cis_v120_2_4.md
Outdated
Comment on lines
25
to
26
| - Create/Select an `IAM Role` and `Policy Name`. | ||
| - Click `Allow` to continue. |
There was a problem hiding this comment.
Please update the indentation.
cis_v120/docs/cis_v120_2_6.md
Outdated
Comment on lines
18
to
20
| - Click on `Enabled` checkbox. | ||
| - Select Target Bucket from list. | ||
| - Enter a Target Prefix. |
There was a problem hiding this comment.
Suggested change
| - Click on `Enabled` checkbox. | |
| - Select Target Bucket from list. | |
| - Enter a Target Prefix. | |
| - Click on `Enabled` checkbox. | |
| - Select Target Bucket from list. | |
| - Enter a Target Prefix. |
cis_v120/docs/cis_v120_2_7.md
Outdated
Comment on lines
19
to
20
| - Note: Ensure the CMK is located in the same region as the S3 bucket | ||
| - Note: You will need to apply a KMS Key policy on the selected CMK in order for |
There was a problem hiding this comment.
Please update the indentation
| end as status, | ||
| case | ||
| when ingress_rdp_rules.group_id is null then sg.group_id || ' ingress restricted for RDP from 0.0.0.0/0.' | ||
| else sg.group_id || ' contains ' || ingress_rdp_rules.num_rdp_rules || ' ingress rule(s) allowing RDP from 0.0.0.0/0.' |
There was a problem hiding this comment.
Suggested change
| else sg.group_id || ' contains ' || ingress_rdp_rules.num_rdp_rules || ' ingress rule(s) allowing RDP from 0.0.0.0/0.' | |
| else sg.group_id || ' contains ' || ingress_rdp_rules.num_rdp_rules || ' ingress rule(s) allowing RDP from 0.0.0.0/0.' |
misraved
approved these changes
Jan 19, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.