Skip to content

Commit 013708b

Browse files
acx1729acx1729
authored
Merge pull request #7 from opengovern/feat-updating-format1
updating Queries
2 parents a2ddb06 + bceee13 commit 013708b

File tree

2,111 files changed

+40607
-23491
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

2,111 files changed

+40607
-23491
lines changed

compliance/controls/error_messages.log

Whitespace-only changes.

compliance/controls/rename_integration_type_name.sh

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
#!/bin/bash
2+
3+
# Description:
4+
# This script traverses all subdirectories to find YAML files containing the 'Integration_Type_Name' key
5+
# and renames the key to 'IntegrationTypeName' while preserving its values.
6+
7+
# Define the root directory (current directory)
8+
ROOT_DIR="."
9+
10+
# Create or clear the log files
11+
> renamed_files.log
12+
> error_files.log
13+
> error_messages.log
14+
15+
# Find all .yaml and .yml files
16+
find "$ROOT_DIR" -type f \( -iname "*.yaml" -o -iname "*.yml" \) -print0 | while IFS= read -r -d '' file; do
17+
# Check if the file contains the 'Integration_Type_Name:' key
18+
if grep -q '^Integration_Type_Name:' "$file"; then
19+
echo "Processing: $file"
20+
21+
# Apply the yq transformation to rename the key
22+
if yq eval -i '
23+
.IntegrationTypeName = .Integration_Type_Name |
24+
del(.Integration_Type_Name)
25+
' "$file"; then
26+
echo "$file renamed successfully." >> renamed_files.log
27+
else
28+
echo "Error renaming $file" >> error_files.log
29+
# Capture detailed error messages
30+
yq eval -i '
31+
.IntegrationTypeName = .Integration_Type_Name |
32+
del(.Integration_Type_Name)
33+
' "$file" 2>> error_messages.log
34+
fi
35+
fi
36+
done
37+
38+
echo "Bulk renaming completed. Check 'renamed_files.log' for details."
39+
echo "Any errors are logged in 'error_files.log' and 'error_messages.log'."

compliance/controls/renamed_files.log

Lines changed: 2846 additions & 0 deletions
Large diffs are not rendered by default.

queries/1-aws_insight_lambda_function_not_cmk_encrypted.yaml

100755100644
Lines changed: 15 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,16 +1,25 @@
11
Description: List of lambda functions which are not encrypted with CMK
22
ID: aws_insight_lambda_function_not_cmk_encrypted
33
IntegrationType:
4-
- aws_cloud_account
4+
- aws_cloud_account
55
Query:
66
Engine: CloudQL-v0.0.1
77
ListOfTables:
8-
- aws_lambda_function
8+
- aws_lambda_function
99
Parameters: []
1010
PrimaryTable: aws_lambda_function
11-
QueryToExecute: "select\n name,\n kms_key_arn, account_id, og_account_id, og_resource_id\n\
12-
from\n aws_lambda_function\nwhere\n kms_key_arn is null;"
11+
QueryToExecute: |
12+
SELECT
13+
name,
14+
kms_key_arn,
15+
account_id,
16+
og_account_id,
17+
og_resource_id
18+
FROM
19+
aws_lambda_function
20+
WHERE
21+
kms_key_arn IS NULL;
1322
Tags:
1423
category:
15-
- Security
16-
Title: Unencrypted Lambda
24+
- Security
25+
Title: Unencrypted Lambda

queries/10-aws_insight_acm_certificate_transparency_logging_disabled.yaml

100755100644
Lines changed: 10 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,20 @@
11
Description: List certificates for which transparency logging is disabled
22
ID: aws_insight_acm_certificate_transparency_logging_disabled
33
IntegrationType:
4-
- aws_cloud_account
4+
- aws_cloud_account
55
Query:
66
Engine: CloudQL-v0.0.1
77
ListOfTables:
8-
- aws_acm_certificate
8+
- aws_acm_certificate
99
Parameters: []
1010
PrimaryTable: aws_acm_certificate
11-
QueryToExecute: "select certificate_arn, domain_name, status, account_id, og_account_id,\
12-
\ og_resource_id from\n aws_acm_certificate\nwhere\n certificate_transparency_logging_preference\
13-
\ <> 'ENABLED';"
11+
QueryToExecute: |
12+
SELECT certificate_arn, domain_name, status, account_id, og_account_id, og_resource_id
13+
FROM aws_acm_certificate
14+
WHERE certificate_transparency_logging_preference <> 'ENABLED';
1415
Tags:
1516
category:
16-
- Security
17-
- Technical Debt
18-
- Resiliency
19-
Title: Certificates with no Logging
17+
- Security
18+
- Technical Debt
19+
- Resiliency
20+
Title: Certificates with no Logging

queries/11-aws_insight_acm_certificate_expired.yaml

100755100644
Lines changed: 16 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,26 @@
11
Description: List of expired certificates
22
ID: aws_insight_acm_certificate_expired
33
IntegrationType:
4-
- aws_cloud_account
4+
- aws_cloud_account
55
Query:
66
Engine: CloudQL-v0.0.1
77
ListOfTables:
8-
- aws_acm_certificate
8+
- aws_acm_certificate
99
Parameters: []
1010
PrimaryTable: aws_acm_certificate
11-
QueryToExecute: "select certificate_arn, domain_name, status, account_id, og_account_id,\
12-
\ og_resource_id from\n aws_acm_certificate\nwhere\n status = 'EXPIRED';"
11+
QueryToExecute: |
12+
SELECT certificate_arn,
13+
domain_name,
14+
status,
15+
account_id,
16+
og_account_id,
17+
og_resource_id
18+
FROM aws_acm_certificate
19+
WHERE status = 'EXPIRED';
1320
Tags:
1421
category:
15-
- Security
16-
- Technical Debt
17-
- Resiliency
18-
- Cost Management
19-
Title: Expired Certificates
22+
- Security
23+
- Technical Debt
24+
- Resiliency
25+
- Cost Management
26+
Title: Expired Certificates

queries/12-aws_insight_ebs_snapshot_older_than_year.yaml

100755100644
Lines changed: 10 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,18 +1,20 @@
11
Description: List Snapshots older than 365 days
22
ID: aws_insight_ebs_snapshot_older_than_year
33
IntegrationType:
4-
- aws_cloud_account
4+
- aws_cloud_account
55
Query:
66
Engine: CloudQL-v0.0.1
77
ListOfTables:
8-
- aws_ebs_snapshot
8+
- aws_ebs_snapshot
99
Parameters: []
1010
PrimaryTable: aws_ebs_snapshot
11-
QueryToExecute: SELECT snapshot_id, arn, start_time, account_id, og_account_id,
12-
og_resource_id FROM aws_ebs_snapshot WHERE start_time < now() - interval '1 year';
11+
QueryToExecute: |
12+
SELECT snapshot_id, arn, start_time, account_id, og_account_id, og_resource_id
13+
FROM aws_ebs_snapshot
14+
WHERE start_time < NOW() - INTERVAL '1 year';
1315
Tags:
1416
category:
15-
- Security
16-
- Technical Debt
17-
- Cost Management
18-
Title: Snapshots older than a year
17+
- Security
18+
- Technical Debt
19+
- Cost Management
20+
Title: Snapshots older than a year

queries/13-aws_insight_ec2_classic_load_balancer.yaml

100755100644
Lines changed: 18 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1,22 +1,29 @@
11
Description: List all Classic Load Balancer. Link here.
22
ID: aws_insight_ec2_classic_load_balancer
33
IntegrationType:
4-
- aws_cloud_account
4+
- aws_cloud_account
55
Query:
66
Engine: CloudQL-v0.0.1
77
ListOfTables:
8-
- aws_ec2_classic_load_balancer
8+
- aws_ec2_classic_load_balancer
99
Parameters: []
1010
PrimaryTable: aws_ec2_classic_load_balancer
11-
QueryToExecute: SELECT name, arn, account_id, og_account_id, og_resource_id FROM
12-
aws_ec2_classic_load_balancer
11+
QueryToExecute: |
12+
SELECT
13+
NAME,
14+
ARN,
15+
ACCOUNT_ID,
16+
OG_ACCOUNT_ID,
17+
OG_RESOURCE_ID
18+
FROM
19+
AWS_EC2_CLASSIC_LOAD_BALANCER
1320
Tags:
1421
category:
15-
- Security
16-
- Technical Debt
17-
- Resiliency
22+
- Security
23+
- Technical Debt
24+
- Resiliency
1825
persona:
19-
- Executive
20-
- Product
21-
- FinOps
22-
Title: Classic Load Balancers
26+
- Executive
27+
- Product
28+
- FinOps
29+
Title: Classic Load Balancers

queries/14-aws_insight_elb_classic_lb_use_ssl_certificate.yaml

100755100644
Lines changed: 34 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -1,29 +1,43 @@
1-
Description: List all Load Balancers with out SSL
1+
Description: List all Load Balancers without SSL
22
ID: aws_insight_elb_classic_lb_use_ssl_certificate
33
IntegrationType:
4-
- aws_cloud_account
4+
- aws_cloud_account
55
Query:
66
Engine: CloudQL-v0.0.1
77
ListOfTables:
8-
- aws_ec2_classic_load_balancer
8+
- aws_ec2_classic_load_balancer
99
Parameters: []
1010
PrimaryTable: aws_ec2_classic_load_balancer
11-
QueryToExecute: "with detailed_classic_listeners as (\n select\n name\n from\n\
12-
\ aws_ec2_classic_load_balancer,\n jsonb_array_elements(listener_descriptions)\
13-
\ as listener_description\n where\n listener_description -> 'Listener' ->>\
14-
\ 'Protocol' in ('HTTPS', 'SSL', 'TLS')\n and listener_description -> 'Listener'\
15-
\ ->> 'SSLCertificateId' like 'arn:aws:acm%'\n)\nselect\n -- Required Columns\n\
16-
\ 'arn:' || a.partition || ':elasticloadbalancing:' || a.region || ':' || a.account_id\
17-
\ || ':loadbalancer/' || a.name as resource,\n case\n when a.listener_descriptions\
18-
\ is null then 'skip'\n when b.name is not null then 'alarm'\n else 'ok'\n\
19-
\ end as status,\n case\n when a.listener_descriptions is null then a.title\
20-
\ || ' has no listener.'\n when b.name is not null then a.title || ' does not\
21-
\ use certificates provided by ACM.'\n else a.title || ' uses certificates\
22-
\ provided by ACM.'\n end as reason,\n -- Additional Dimensions\n region,\n\
23-
\ account_id, og_account_id, og_resource_id\nfrom\n aws_ec2_classic_load_balancer\
24-
\ as a\n left join detailed_classic_listeners as b on a.name = b.name;"
11+
QueryToExecute: |
12+
WITH detailed_classic_listeners AS (
13+
SELECT
14+
name
15+
FROM
16+
aws_ec2_classic_load_balancer,
17+
jsonb_array_elements(listener_descriptions) AS listener_description
18+
WHERE
19+
listener_description -> 'Listener' ->> 'Protocol' IN ('HTTPS', 'SSL', 'TLS')
20+
AND listener_description -> 'Listener' ->> 'SSLCertificateId' LIKE 'arn:aws:acm%'
21+
)
22+
SELECT
23+
'arn:' || a.partition || ':elasticloadbalancing:' || a.region || ':' || a.account_id || ':loadbalancer/' || a.name AS resource,
24+
CASE
25+
WHEN a.listener_descriptions IS NULL THEN 'skip'
26+
WHEN b.name IS NOT NULL THEN 'alarm'
27+
ELSE 'ok'
28+
END AS status,
29+
CASE
30+
WHEN a.listener_descriptions IS NULL THEN a.title || ' has no listener.'
31+
WHEN b.name IS NOT NULL THEN a.title || ' does not use certificates provided by ACM.'
32+
ELSE a.title || ' uses certificates provided by ACM.'
33+
END AS reason,
34+
region,
35+
account_id, og_account_id, og_resource_id
36+
FROM
37+
aws_ec2_classic_load_balancer AS a
38+
LEFT JOIN detailed_classic_listeners AS b ON a.name = b.name;
2539
Tags:
2640
category:
27-
- Security
28-
- Technical Debt
29-
Title: Load Balancers with no SSL
41+
- Security
42+
- Technical Debt
43+
Title: Load Balancers with no SSL

queries/15-aws_insight_elb_application_lb_waf_enabled.yaml

100755100644
Lines changed: 22 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,22 +1,32 @@
11
Description: List all ELB with no WAF.
22
ID: aws_insight_elb_application_lb_waf_enabled
33
IntegrationType:
4-
- aws_cloud_account
4+
- aws_cloud_account
55
Query:
66
Engine: CloudQL-v0.0.1
77
ListOfTables:
8-
- aws_ec2_application_load_balancer
8+
- aws_ec2_application_load_balancer
99
Parameters: []
1010
PrimaryTable: aws_ec2_application_load_balancer
11-
QueryToExecute: "select\n -- Required Columns\n arn as resource, account_id, og_account_id,\
12-
\ og_resource_id,\n case\n when load_balancer_attributes @> '[{\"Key\":\"\
13-
waf.fail_open.enabled\",\"Value\":\"true\"}]' then 'ok'\n else 'alarm'\n end\
14-
\ as status,\n case\n when load_balancer_attributes @> '[{\"Key\":\"waf.fail_open.enabled\"\
15-
,\"Value\":\"true\"}]' then title || ' WAF enabled.'\n else title || ' WAF\
16-
\ disabled.'\n end as reason,\n -- Additional Dimensions\n region \nfrom\n\
17-
\ aws_ec2_application_load_balancer;"
11+
QueryToExecute: |
12+
SELECT
13+
arn AS resource,
14+
account_id,
15+
og_account_id,
16+
og_resource_id,
17+
CASE
18+
WHEN load_balancer_attributes @> '[{"Key":"waf.fail_open.enabled","Value":"true"}]' THEN 'ok'
19+
ELSE 'alarm'
20+
END AS status,
21+
CASE
22+
WHEN load_balancer_attributes @> '[{"Key":"waf.fail_open.enabled","Value":"true"}]' THEN title || ' WAF enabled.'
23+
ELSE title || ' WAF disabled.'
24+
END AS reason,
25+
region
26+
FROM
27+
aws_ec2_application_load_balancer;
1828
Tags:
1929
category:
20-
- Security
21-
- Technical Debt
22-
Title: Load Balancers with no WAF
30+
- Security
31+
- Technical Debt
32+
Title: Load Balancers with no WAF

0 commit comments

Comments
 (0)