turbot · misraved · Mar 22, 2023 · Mar 6, 2023 · Mar 6, 2023 · Mar 6, 2023
diff --git a/.gitignore b/.gitignore
@@ -7,3 +7,7 @@
 
 # Swap files
 *.swp
+
+# Steampipe variable files
+*.spvars
+*.auto.spvars
diff --git a/conformance_pack/account.sp b/conformance_pack/account.sp
@@ -0,0 +1,33 @@
+# Non-Config rule query
+query "account_alternate_contact_security_registered" {
+  sql = <<-EOQ
+    with alternate_security_contact as (
+      select
+        name,
+        account_id
+      from
+        aws_account_alternate_contact
+      where
+        contact_type = 'SECURITY'
+    )
+    select
+      -- Required Columns
+      arn as resource,
+      case
+        when a.partition = 'aws-us-gov' then 'info'
+        -- Name is a required field if setting a security contact
+        when c.name is not null then 'ok'
+        else 'alarm'
+      end as status,
+      case
+        when a.partition = 'aws-us-gov' then a.title || ' in GovCloud, manual verification required.'
+        when c.name is not null then a.title || ' has security contact ' || c.name || ' registered.'
+        else a.title || ' security contact not registered.'
+      end as reason
+      -- Additional Dimensions
+      ${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "a.")}
+    from
+      aws_account as a
+      left join alternate_security_contact as c on c.account_id = a.account_id;
+  EOQ
+}
diff --git a/conformance_pack/acm.sp b/conformance_pack/acm.sp
@@ -44,3 +44,70 @@ control "acm_certificate_no_wildcard_domain_name" {
     other_checks = "true"
   })
 }
+
+query "acm_certificate_expires_30_days" {
+  sql = <<-EOQ
+    select
+      -- Required Columns
+      certificate_arn as resource,
+      case
+        when renewal_eligibility = 'INELIGIBLE' then 'skip'
+        when date(not_after) - date(current_date) >= 30 then 'ok'
+        else 'alarm'
+      end as status,
+      case
+        when renewal_eligibility = 'INELIGIBLE' then title || ' not eligible for renewal.'
+        else title || ' expires ' || to_char(not_after, 'DD-Mon-YYYY') ||
+        ' (' || extract(day from not_after - current_date) || ' days).'
+      end as reason
+      -- Additional Dimensions
+      ${local.tag_dimensions_sql}
+      ${local.common_dimensions_sql}
+    from
+      aws_acm_certificate;
+  EOQ
+}
+
+query "acm_certificate_no_wildcard_domain_name" {
+  sql = <<-EOQ
+    select
+      -- Required Columns
+      certificate_arn as resource,
+      case
+        when domain_name like '*%' then 'alarm'
+        else 'ok'
+      end as status,
+      case
+        when domain_name like '*%' then title || ' uses wildcard domain name.'
+        else title || ' does not use wildcard domain name.'
+      end as reason
+      -- Additional Dimensions
+      ${local.tag_dimensions_sql}
+      ${local.common_dimensions_sql}
+    from
+      aws_acm_certificate;
+  EOQ
+}
+
+query "acm_certificate_transparency_logging_enabled" {
+  sql = <<-EOQ
+    select
+      -- Required Columns
+      certificate_arn as resource,
+      case
+        when type = 'IMPORTED' then 'skip'
+        when certificate_transparency_logging_preference = 'ENABLED' then 'ok'
+        else 'alarm'
+      end as status,
+      case
+        when type = 'IMPORTED' then title || ' is imported.'
+        when certificate_transparency_logging_preference = 'ENABLED' then title || ' transparency logging enabled.'
+        else title || ' transparency logging disabled.'
+      end as reason
+      -- Additional Dimensions
+      ${local.tag_dimensions_sql}
+      ${local.common_dimensions_sql}
+    from
+      aws_acm_certificate;
+  EOQ
+}
diff --git a/conformance_pack/apigateway.sp b/conformance_pack/apigateway.sp
@@ -85,3 +85,197 @@ control "apigateway_rest_api_authorizers_configured" {
     other_checks = "true"
   })
 }
+
+query "apigateway_stage_cache_encryption_at_rest_enabled" {
+  sql = <<-EOQ
+    select
+      -- Required Columns
+      'arn:' || partition || ':apigateway:' || region || '::/apis/' || rest_api_id || '/stages/' || name as resource,
+      case
+        when method_settings -> '*/*' ->> 'CachingEnabled' = 'true'
+        and method_settings -> '*/*' ->> 'CacheDataEncrypted' = 'true' then 'ok'
+        else 'alarm'
+      end as status,
+      case
+        when method_settings -> '*/*' ->> 'CachingEnabled' = 'true'
+        and method_settings -> '*/*' ->> 'CacheDataEncrypted' = 'true'
+          then title || ' API cache and encryption enabled.'
+        else title || ' API cache and encryption not enabled.'
+      end as reason
+      -- Additional Dimensions
+      ${local.tag_dimensions_sql}
+      ${local.common_dimensions_sql}
+    from
+      aws_api_gateway_stage;
+  EOQ
+}
+
+query "apigateway_stage_logging_enabled" {
+  sql = <<-EOQ
+    with all_stages as (
+      select
+        name as stage_name,
+        'arn:' || partition || ':apigateway:' || region || '::/apis/' || rest_api_id || '/stages/' || name as arn,
+        method_settings -> '*/*' ->> 'LoggingLevel' as log_level,
+        title,
+        region,
+        account_id
+      from
+        aws_api_gateway_stage
+      union
+      select
+        stage_name,
+        'arn:' || partition || ':apigateway:' || region || '::/apis/' || api_id || '/stages/' || stage_name as arn,
+        default_route_logging_level as log_level,
+        title,
+        region,
+        account_id
+      from
+        aws_api_gatewayv2_stage
+    )
+    select
+      -- Required Columns
+      arn as resource,
+      case
+        when log_level is null or log_level = '' or log_level = 'OFF' then 'alarm'
+        else 'ok'
+      end as status,
+      case
+        when log_level is null or log_level = '' or log_level = 'OFF' then title || ' logging not enabled.'
+        else title || ' logging enabled.'
+      end as reason
+      -- Additional Dimensions
+      ${local.tag_dimensions_sql}
+      ${local.common_dimensions_sql}
+    from
+      all_stages;
+    EOQ
+}
+
+query "apigateway_rest_api_stage_use_ssl_certificate" {
+  sql = <<-EOQ
+    select
+      -- Required Columns
+      arn as resource,
+      case
+        when client_certificate_id is null then 'alarm'
+        else 'ok'
+      end as status,
+      case
+        when client_certificate_id is null then title || ' does not use SSL certificate.'
+        else title || ' uses SSL certificate.'
+      end as reason
+      -- Additional Dimensions
+      ${local.tag_dimensions_sql}
+      ${local.common_dimensions_sql}
+    from
+      aws_api_gateway_stage;
+  EOQ
+}
+
+query "apigateway_stage_use_waf_web_acl" {
+  sql = <<-EOQ
+    select
+      -- Required Columns
+      arn as resource,
+      case
+        when web_acl_arn is not null then 'ok'
+        else 'alarm'
+      end as status,
+      case
+        when web_acl_arn is not null then title || ' associated with WAF web ACL.'
+        else title || ' not associated with WAF web ACL.'
+      end as reason
+      -- Additional Dimensions
+      ${local.tag_dimensions_sql}
+      ${local.common_dimensions_sql}
+    from
+      aws_api_gateway_stage;
+  EOQ
+}
+
+query "apigateway_rest_api_authorizers_configured" {
+  sql = <<-EOQ
+    select
+      -- Required Columns
+      p.name as resource,
+      case
+        when jsonb_array_length(a.provider_arns) > 0 then 'ok'
+        else 'alarm'
+      end as status,
+      case
+        when jsonb_array_length(a.provider_arns) > 0 then p.name || ' authorizers configured.'
+        else p.name || ' authorizers not configured.'
+      end as reason
+      -- Additional Dimensions
+      ${local.tag_dimensions_sql}
+      ${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "p.")}
+    from
+      aws_api_gateway_rest_api as p
+      left join aws_api_gateway_authorizer as a on p.api_id = a.rest_api_id;
+  EOQ
+}
+
+# Non-Config rule query
+
+query "api_gatewayv2_route_authorization_type_configured" {
+  sql = <<-EOQ
+    select
+      -- Required Columns
+      'arn:' || partition || ':apigateway:' || region || '::/apis/' || api_id || '/routes/' || route_id as resource,
+      case
+        when authorization_type is null then 'alarm'
+        else 'ok'
+      end as status,
+      case
+        when authorization_type is null then route_id || ' authorization type not configured.'
+        else route_id || ' authorization type ' || authorization_type || ' configured.'
+      end as reason
+      -- Additional Dimensions
+      ${local.common_dimensions_sql}
+    from
+      aws_api_gatewayv2_route;
+  EOQ
+}
+
+query "apigateway_rest_api_stage_xray_tracing_enabled" {
+  sql = <<-EOQ
+    select
+      -- Required Columns
+      arn as resource,
+      case
+        when tracing_enabled then 'ok'
+        else 'alarm'
+      end as status,
+      case
+        when tracing_enabled then title || ' X-Ray tracing enabled.'
+        else title || ' X-Ray tracing disabled.'
+      end as reason
+      -- Additional Dimensions
+      ${local.tag_dimensions_sql}
+      ${local.common_dimensions_sql}
+    from
+      aws_api_gateway_stage;
+  EOQ
+}
+
+query "gatewayv2_stage_access_logging_enabled" {
+  sql = <<-EOQ
+    select
+      -- Required Columns
+      'arn:' || partition || ':apigateway:' || region || '::/apis/' || api_id || '/stages/' || stage_name as resource,
+      case
+        when access_log_settings is null then 'alarm'
+        else 'ok'
+      end as status,
+      case
+        when access_log_settings is null then title || ' access logging disabled.'
+        else title || ' access logging enabled.'
+      end as reason
+      -- Additional Dimensions
+      ${local.tag_dimensions_sql}
+      ${local.common_dimensions_sql}
+    from
+      aws_api_gatewayv2_stage;
+  EOQ
+}