Merge pull request #54 from kaytu-io/fix-controls

artaasadi · web-flow · commit 0540a8501696 · 2024-10-04T13:53:22.000+02:00
fix: add include_potential to GetBenchmarkAssignments
diff --git a/policies/controls/aws/aws_cis_v130_1_17.yaml b/policies/controls/aws/aws_cis_v130_1_17.yaml
@@ -28,8 +28,8 @@ Query:
     )
     select
       resource,
-      a.kaytu_account_id as kaytu_account_id,
-      a.kaytu_resource_id as kaytu_resource_id,
+      account_id as kaytu_account_id,
+      resource as kaytu_resource_id,
       case
         when count > 0 then 'ok'
         else 'alarm'
diff --git a/policies/controls/aws/aws_cloudformation_stack_output_no_secrets.yaml b/policies/controls/aws/aws_cloudformation_stack_output_no_secrets.yaml
@@ -16,7 +16,9 @@ Query:
         tags,
         _ctx,
         outputs,
-        title
+        title,
+        kaytu_account_id as kaytu_account_id,
+        kaytu_resource_id as kaytu_resource_id
       from
         aws_cloudformation_stack
     ),
diff --git a/policies/controls/aws/aws_codebuild_project_build_greater_then_90_days.yaml b/policies/controls/aws/aws_codebuild_project_build_greater_then_90_days.yaml
@@ -27,7 +27,9 @@ Query:
         account_id,
         title,
         tags,
-        _ctx
+        _ctx,
+        kaytu_account_id as kaytu_account_id,
+        kaytu_resource_id as kaytu_resource_id
       from
         aws_codebuild_project
       group by
@@ -37,7 +39,9 @@ Query:
         title,
         region,
         account_id,
-        _ctx
+        _ctx,
+        kaytu_account_id,
+        kaytu_resource_id
     )
     select
       p.arn as resource,
diff --git a/policies/controls/aws/aws_dlm_ebs_snapshot_lifecycle_policy_enabled.yaml b/policies/controls/aws/aws_dlm_ebs_snapshot_lifecycle_policy_enabled.yaml
@@ -11,7 +11,9 @@ Query:
         distinct region,
         partition,
         account_id,
-        _ctx
+        _ctx,
+        kaytu_account_id as kaytu_account_id,
+        kaytu_resource_id as kaytu_resource_id
       from
         aws_ebs_snapshot
     ), dlm_ebs_lifecycle_policy as (
diff --git a/policies/controls/aws/aws_ec2_ami_ebs_encryption_enabled.yaml b/policies/controls/aws/aws_ec2_ami_ebs_encryption_enabled.yaml
@@ -27,7 +27,7 @@ Query:
     select
       resource,
       e.account_id as kaytu_account_id,
-      e.image_id as kaytu_resource_id,
+      resource as kaytu_resource_id,
       case
         when all_encrypted then 'ok'
         else 'alarm'
diff --git a/policies/controls/aws/aws_ec2_instance_no_iam_role_with_cloud_log_tampering_access.yaml b/policies/controls/aws/aws_ec2_instance_no_iam_role_with_cloud_log_tampering_access.yaml
@@ -6,18 +6,55 @@ Connector:
 Query:
   Engine: odysseus-v0.0.1
   QueryToExecute: |-
+    with iam_roles as (
+      select
+        r.arn as role_arn,
+        i.arn as intance_arn,
+        i.kaytu_account_id as kaytu_account_id,
+        i.kaytu_account_id as kaytu_account_id
+      from
+        aws_iam_role as r,
+        jsonb_array_elements_text(instance_profile_arns) as p
+        left join aws_ec2_instance as i on p = i.iam_instance_profile_arn
+      where
+        i.arn is not null
+    ),
+    iam_role_with_permission as (
+      select
+        arn
+      from
+        aws_iam_role,
+        jsonb_array_elements(assume_role_policy_std -> 'Statement') as s,
+        jsonb_array_elements_text(s -> 'Principal' -> 'Service') as service,
+        jsonb_array_elements_text(s -> 'Action') as action
+      where
+        arn in (
+          select
+            role_arn
+          from
+            iam_roles
+        )
+      and s ->> 'Effect' = 'Allow'
+      and service = 'ec2.amazonaws.com'
+      and action in (
+        'srds-data:ExecuteStatement',
+        'rds-data:BatchExecuteStatement',
+        '*:*'
+      )
+    )
     select
       i.arn as resource,
       i.kaytu_account_id as kaytu_account_id,
-      i.kaytu_resource_id as kaytu_resource_id,
+      i.kaytu_account_id as kaytu_account_id,
       case
         when p.arn is null then 'ok'
         else 'alarm'
       end status,
       case
-        when p.arn is null then title || ' has no IAM role with cloud log tampering access.'
-        else title || ' has IAM role with cloud log tampering access.'
-      end as reason
+        when p.arn is null then title || ' has no IAM role with destruction RDS permission.'
+        else title || ' has IAM role with destruction RDS permission.'
+      end as reason,
+      i.account_id
     from
       aws_ec2_instance as i
       left join iam_roles as r on r.intance_arn = i.arn
diff --git a/policies/controls/aws/aws_ecr_repository_prohibit_public_access.yaml b/policies/controls/aws/aws_ecr_repository_prohibit_public_access.yaml
@@ -37,7 +37,7 @@ Query:
       aws_ecr_repository as r
       left join open_access_ecr_repo as o on r.arn = o.arn
     group by
-      resource, status, reason, r.region, r.account_id, r.tags, r._ctx;
+      resource, status, reason, r.region, r.account_id, r.tags, r._ctx, r.kaytu_account_id, r.kaytu_resource_id
   PrimaryTable: aws_ecr_repository
   ListOfTables:
   - aws_ecr_repository
diff --git a/policies/controls/aws/aws_elasticache_replication_group_encryption_at_rest_enabled_with_kms_cmk.yaml b/policies/controls/aws/aws_elasticache_replication_group_encryption_at_rest_enabled_with_kms_cmk.yaml
@@ -14,7 +14,9 @@ Query:
         kms_key_id,
         region,
         account_id,
-        _ctx
+        _ctx,
+        kaytu_account_id as kaytu_account_id,
+        kaytu_resource_id as kaytu_resource_id
       from
         aws_elasticache_replication_group
       order by
diff --git a/policies/controls/aws/aws_elb_application_classic_network_lb_prohibit_public_access.yaml b/policies/controls/aws/aws_elb_application_classic_network_lb_prohibit_public_access.yaml
@@ -14,7 +14,9 @@ Query:
         region,
         account_id,
         tags,
-        _ctx
+        _ctx,
+        kaytu_account_id,
+        kaytu_resource_id
       from
         aws_ec2_application_load_balancer
       union
@@ -25,7 +27,9 @@ Query:
         region,
         account_id,
         tags,
-        _ctx
+        _ctx,
+        kaytu_account_id,
+        kaytu_resource_id
       from
         aws_ec2_network_load_balancer
       union
@@ -36,7 +40,9 @@ Query:
         region,
         account_id,
         tags,
-        _ctx
+        _ctx,
+        kaytu_account_id,
+        kaytu_resource_id
       from
       aws_ec2_classic_load_balancer
     )
diff --git a/policies/controls/aws/aws_elb_application_network_lb_use_listeners.yaml b/policies/controls/aws/aws_elb_application_network_lb_use_listeners.yaml
@@ -29,8 +29,8 @@ Query:
     )
     select
       distinct lb.arn as resource,
-      lb.kaytu_account_id as kaytu_account_id,
-      lb.kaytu_resource_id as kaytu_resource_id,
+      l.kaytu_account_id as kaytu_account_id,
+      l.kaytu_resource_id as kaytu_resource_id,
       case
         when l.load_balancer_arn is not null then 'ok'
         else 'alarm'
diff --git a/policies/controls/aws/aws_iam_inline_policy_no_administrative_privileges.yaml b/policies/controls/aws/aws_iam_inline_policy_no_administrative_privileges.yaml
@@ -14,7 +14,9 @@ Query:
         account_id,
         region,
         _ctx,
-        'iam_user' as type
+        'iam_user' as type,
+        kaytu_account_id as kaytu_account_id,
+        kaytu_resource_id as kaytu_resource_id
       from
         aws_iam_user
       union
@@ -25,7 +27,9 @@ Query:
         account_id,
         region,
         _ctx,
-        'iam_role' as type
+        'iam_role' as type,
+        kaytu_account_id as kaytu_account_id,
+        kaytu_resource_id as kaytu_resource_id
       from
         aws_iam_role
       union
@@ -36,7 +40,9 @@ Query:
         account_id,
         region,
         _ctx,
-        'iam_group' as type
+        'iam_group' as type,
+        kaytu_account_id as kaytu_account_id,
+        kaytu_resource_id as kaytu_resource_id
       from
         aws_iam_group
     ),
@@ -71,7 +77,7 @@ Query:
       end status,
       p.name || ' contains ' || coalesce(bad.statements_num,0)  ||
         ' statements that allow action "*" on resource "*".' as reason
-      
+    
     from
       full_administrative_privilege_policies as p
       left join bad_policies as bad on p.arn = bad.arn;
diff --git a/policies/controls/aws/aws_iam_security_audit_role.yaml b/policies/controls/aws/aws_iam_security_audit_role.yaml
@@ -11,7 +11,9 @@ Query:
         'arn:' || a.partition || ':::' || a.account_id as resource,
         count(policy_arn),
         a.account_id,
-        a._ctx
+        a._ctx,
+        a.kaytu_account_id as kaytu_account_id,
+        a.kaytu_resource_id as kaytu_resource_id
       from
         aws_account as a
         left join aws_iam_role as r on r.account_id = a.account_id
@@ -21,12 +23,14 @@ Query:
       group by
         a.account_id,
         a.partition,
-        a._ctx
+        a._ctx,
+        a.kaytu_account_id,
+        a.kaytu_resource_id
     )
     select
       resource,
-      a.kaytu_account_id as kaytu_account_id,
-      a.kaytu_resource_id as kaytu_resource_id,
+      kaytu_account_id as kaytu_account_id,
+      kaytu_resource_id as kaytu_resource_id,
       case
         when count > 0 then 'ok'
         else 'alarm'
diff --git a/policies/controls/aws/aws_organizational_tag_policies_enabled.yaml b/policies/controls/aws/aws_organizational_tag_policies_enabled.yaml
@@ -11,15 +11,19 @@ Query:
         _ctx,
         account_id,
         region,
-        count(*) as count
+        count(*) as count,
+        kaytu_account_id as kaytu_account_id,
+        kaytu_resource_id as kaytu_resource_id
       from
         aws_organizations_policy
       where
         type = 'TAG_POLICY'
       group by
         _ctx,
         region,
-        account_id
+        account_id,
+        kaytu_account_id,
+        kaytu_resource_id
     )
     select
       case
@@ -30,8 +34,8 @@ Query:
         when count > 0 then 'Organizational tag policies are enabled.'
         else 'Organizational tag policies are disabled.'
       end as reason,
-      _ctx.kaytu_account_id as kaytu_account_id,
-      _ctx.kaytu_resource_id as kaytu_resource_id
+      kaytu_account_id as kaytu_account_id,
+      kaytu_resource_id as kaytu_resource_id
     from
       tag_policy_enabled;
   PrimaryTable: aws_organizations_policy
diff --git a/policies/controls/aws/aws_rds_db_instance_connections_encryption_enabled.yaml b/policies/controls/aws/aws_rds_db_instance_connections_encryption_enabled.yaml
@@ -15,7 +15,9 @@ Query:
         i.tags,
         i.region,
         i.account_id,
-        i._ctx
+        i._ctx,
+        i.kaytu_account_id as kaytu_account_id,
+        i.kaytu_resource_id as kaytu_resource_id
       from
         aws_rds_db_instance as i,
         jsonb_array_elements(db_parameter_groups) as g
diff --git a/policies/controls/aws/aws_sagemaker_notebook_instance_encrypted_with_kms_cmk.yaml b/policies/controls/aws/aws_sagemaker_notebook_instance_encrypted_with_kms_cmk.yaml
@@ -14,7 +14,9 @@ Query:
         kms_key_id,
         title,
         tags,
-        _ctx
+        _ctx,
+        kaytu_account_id as kaytu_account_id,
+        kaytu_resource_id as kaytu_resource_id
       from
         aws_sagemaker_notebook_instance
     ), kms_keys as (
