feat: add rego policies

Author: Mahanmmi

compliance/controls/aws/aws_ec2_ami_not_older_than_90_days_rego.yaml

@@ -0,0 +1,53 @@
+Description: Ensure that your AMIs are not older than 90 days.
+ID: aws_ec2_ami_not_older_than_90_days_rego
+IntegrationType:
+  - aws_cloud_account
+Query:
+  Engine: cloudql-rego
+  ListOfTables:
+    - aws_ec2_ami
+  Parameters: []
+  PrimaryTable: aws_ec2_ami
+  RegoPolicies:
+    - |
+      package aws_ec2_ami_not_older_than_90_days_rego
+      import future.keywords.in
+  
+        # Define the result rule
+      result[obj] {
+        some ami in opencomply.aws_ec2_ami({})
+  
+        # Populate the fields in the result object
+        obj := {
+          "resource": ami.image_id,
+          "platform_integration_id": ami.platform_integration_id,
+          "platform_resource_id": ami.platform_resource_id,
+          "status": status(ami.creation_date),
+          "reason": sprintf("%s created %s (%d days).", [
+            ami.title,
+            time.format(ami.creation_date),
+            days_since_creation(ami.creation_date)
+          ])
+        }
+      }
+  
+      # Determine the status based on the creation_date
+      status(creation_date) = "ok" {
+        creation_date >= time.now_ns() - (90 * 24 * 60 * 60 * 1e9)  # 90 days in nanoseconds
+      }
+      status(creation_date) = "alarm" {
+        creation_date < time.now_ns() - (90 * 24 * 60 * 60 * 1e9)
+      }
+      days_since_creation(creation_date) = days {
+        now := time.now_ns()
+        days := floor((now - creation_date) / (24 * 60 * 60 * 1e9))  # Convert nanoseconds to days
+      }
+  QueryToExecute: |
+    data.aws_ec2_ami_not_older_than_90_days_rego.result
+Severity: low
+Tags: {}
+Title: Ensure Images (AMI) are not older than 90 days
+  
+  
+  
+

compliance/controls/aws/aws_ec2_classic_lb_connection_draining_enabled_rego.yaml

@@ -0,0 +1,59 @@
+Description: This control checks whether Classic Load Balancers have connection draining enabled.
+ID: aws_ec2_classic_lb_connection_draining_enabled_rego
+IntegrationType:
+  - aws_cloud_account
+Query:
+  Engine: cloudql-rego
+  ListOfTables:
+    - aws_ec2_classic_load_balancer
+  Parameters: []
+  PrimaryTable: aws_ec2_classic_load_balancer
+  RegoPolicies:
+    - |
+      package aws_ec2_classic_lb_connection_draining_enabled_rego
+      import future.keywords.in
+  
+      status(lb) = "ok" {
+        lb.connection_draining_enabled == true
+      }
+      status(lb) = "alarm" {
+        lb.connection_draining_enabled == false
+      }
+
+      reason(lb) = sprintf("%s connection draining enabled.", [lb.title]) {
+        lb.connection_draining_enabled == true
+      }
+      reason(lb) = sprintf("%s connection draining disabled.", [lb.title]) {
+        lb.connection_draining_enabled == false
+      }
+
+      result[obj] {
+        some lb in opencomply.aws_ec2_classic_load_balancer({})
+  
+        obj = {
+          "resource": lb.arn,
+          "platform_integration_id": lb.platform_integration_id,
+          "platform_resource_id": lb.platform_resource_id,
+          "status": status(lb),
+          "reason": reason(lb),
+          "region": lb.region,
+          "account_id": lb.account_id,
+        }
+    }
+  QueryToExecute: |
+    data.aws_ec2_classic_lb_connection_draining_enabled_rego.result
+Severity: medium
+Tags:
+  aws_foundational_security:
+    - "true"
+  category:
+    - Compliance
+  foundational_security_category:
+    - resilience
+  foundational_security_item_id:
+    - elb_7
+  plugin:
+    - aws
+  service:
+    - AWS/ELB
+Title: Classic Load Balancers should have connection draining enabled