Skip to content

Commit 795cc97

Browse files
artaasadiartaasadi
authored
Merge pull request #35 from opengovern/feat-config-struct
Feat config struct
2 parents e3199fd + ed771cc commit 795cc97

File tree

4,577 files changed

+134928
-130772
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

4,577 files changed

+134928
-130772
lines changed

compliance/controls/aws/aws_account_alternate_contact_security_registered.yaml

Lines changed: 50 additions & 49 deletions
Original file line numberDiff line numberDiff line change
@@ -1,57 +1,58 @@
11
id: aws_account_alternate_contact_security_registered
22
title: Security contact information should be provided for an AWS account
3+
type: control
34
description: This control checks if an AWS Web Services (AWS) account has security contact information. The control fails if security contact information is not provided for the account.
45
integration_type:
5-
- aws_cloud_account
6+
- aws_cloud_account
67
parameters: []
78
policy:
8-
language: sql
9-
primary_resource: aws_account
10-
definition: |
11-
WITH alternate_security_contact AS (
12-
SELECT
13-
name,
14-
account_id
15-
FROM
16-
aws_account_alternate_contact
17-
WHERE
18-
contact_type = 'SECURITY'
19-
)
20-
SELECT
21-
arn AS resource,
22-
platform_integration_id AS platform_integration_id,
23-
platform_resource_id AS platform_resource_id,
24-
CASE
25-
WHEN a.partition = 'aws-us-gov' THEN 'info'
26-
WHEN c.name IS NOT NULL THEN 'ok'
27-
ELSE 'alarm'
28-
END AS status,
29-
CASE
30-
WHEN a.partition = 'aws-us-gov' THEN a.title || ' in GovCloud, manual verification required.'
31-
WHEN c.name IS NOT NULL THEN a.title || ' has security contact ' || c.name || ' registered.'
32-
ELSE a.title || ' security contact not registered.'
33-
END AS reason,
34-
a.account_id
35-
FROM
36-
aws_account AS a
37-
LEFT JOIN alternate_security_contact AS c ON c.account_id = a.account_id;
9+
language: sql
10+
primary_resource: aws_account
11+
definition: |
12+
WITH alternate_security_contact AS (
13+
SELECT
14+
name,
15+
account_id
16+
FROM
17+
aws_account_alternate_contact
18+
WHERE
19+
contact_type = 'SECURITY'
20+
)
21+
SELECT
22+
arn AS resource,
23+
platform_integration_id AS platform_integration_id,
24+
platform_resource_id AS platform_resource_id,
25+
CASE
26+
WHEN a.partition = 'aws-us-gov' THEN 'info'
27+
WHEN c.name IS NOT NULL THEN 'ok'
28+
ELSE 'alarm'
29+
END AS status,
30+
CASE
31+
WHEN a.partition = 'aws-us-gov' THEN a.title || ' in GovCloud, manual verification required.'
32+
WHEN c.name IS NOT NULL THEN a.title || ' has security contact ' || c.name || ' registered.'
33+
ELSE a.title || ' security contact not registered.'
34+
END AS reason,
35+
a.account_id
36+
FROM
37+
aws_account AS a
38+
LEFT JOIN alternate_security_contact AS c ON c.account_id = a.account_id;
3839
severity: low
3940
tags:
40-
category:
41-
- Compliance
42-
cis:
43-
- 'true'
44-
cis_item_id:
45-
- '1.18'
46-
cis_level:
47-
- '1'
48-
cis_section_id:
49-
- '1'
50-
cis_type:
51-
- not_scored
52-
cis_version:
53-
- v1.2.0
54-
plugin:
55-
- aws
56-
service:
57-
- AWS/IAM
41+
category:
42+
- Compliance
43+
cis:
44+
- "true"
45+
cis_item_id:
46+
- "1.18"
47+
cis_level:
48+
- "1"
49+
cis_section_id:
50+
- "1"
51+
cis_type:
52+
- not_scored
53+
cis_version:
54+
- v1.2.0
55+
plugin:
56+
- aws
57+
service:
58+
- AWS/IAM

compliance/controls/aws/aws_account_part_of_organizations.yaml

Lines changed: 35 additions & 34 deletions
Original file line numberDiff line numberDiff line change
@@ -1,42 +1,43 @@
11
id: aws_account_part_of_organizations
22
title: AWS account should be part of AWS Organizations
3+
type: control
34
description: Ensure that an AWS account is part of AWS Organizations. The rule is non-compliant if an AWS account is not part of AWS Organizations, or AWS Organizations' master account ID does not match rule parameter MasterAccountId.
45
integration_type:
5-
- aws_cloud_account
6+
- aws_cloud_account
67
parameters: []
78
policy:
8-
language: sql
9-
primary_resource: aws_account
10-
definition: |
11-
SELECT
12-
arn AS resource,
13-
platform_integration_id AS platform_integration_id,
14-
platform_resource_id AS platform_resource_id,
15-
CASE
16-
WHEN organization_id IS NOT NULL THEN 'ok'
17-
ELSE 'alarm'
18-
END AS status,
19-
CASE
20-
WHEN organization_id IS NOT NULL THEN title || ' is part of organization(s).'
21-
ELSE title || ' is not part of organization.'
22-
END AS reason,
23-
region,
24-
account_id
25-
FROM
26-
aws_account;
9+
language: sql
10+
primary_resource: aws_account
11+
definition: |
12+
SELECT
13+
arn AS resource,
14+
platform_integration_id AS platform_integration_id,
15+
platform_resource_id AS platform_resource_id,
16+
CASE
17+
WHEN organization_id IS NOT NULL THEN 'ok'
18+
ELSE 'alarm'
19+
END AS status,
20+
CASE
21+
WHEN organization_id IS NOT NULL THEN title || ' is part of organization(s).'
22+
ELSE title || ' is not part of organization.'
23+
END AS reason,
24+
region,
25+
account_id
26+
FROM
27+
aws_account;
2728
severity: medium
2829
tags:
29-
category:
30-
- Compliance
31-
cis_controls_v8_ig1:
32-
- 'true'
33-
gxp_21_cfr_part_11:
34-
- 'true'
35-
nist_800_53_rev_5:
36-
- 'true'
37-
nist_csf:
38-
- 'true'
39-
plugin:
40-
- aws
41-
service:
42-
- AWS/IAM
30+
category:
31+
- Compliance
32+
cis_controls_v8_ig1:
33+
- "true"
34+
gxp_21_cfr_part_11:
35+
- "true"
36+
nist_800_53_rev_5:
37+
- "true"
38+
nist_csf:
39+
- "true"
40+
plugin:
41+
- aws
42+
service:
43+
- AWS/IAM

compliance/controls/aws/aws_acm_certificate_expires_30_days.yaml

Lines changed: 57 additions & 56 deletions
Original file line numberDiff line numberDiff line change
@@ -1,64 +1,65 @@
11
id: aws_acm_certificate_expires_30_days
22
title: ACM certificates should not expire within 30 days
3+
type: control
34
description: Ensure network integrity is protected by ensuring X509 certificates are issued by AWS ACM.
45
integration_type:
5-
- aws_cloud_account
6+
- aws_cloud_account
67
parameters: []
78
policy:
8-
language: sql
9-
primary_resource: aws_acm_certificate
10-
definition: |
11-
SELECT
12-
certificate_arn AS resource,
13-
platform_integration_id AS platform_integration_id,
14-
platform_resource_id AS platform_resource_id,
15-
CASE
16-
WHEN renewal_eligibility = 'INELIGIBLE' THEN 'skip'
17-
WHEN DATE(not_after) - DATE(current_date) >= 30 THEN 'ok'
18-
ELSE 'alarm'
19-
END AS status,
20-
CASE
21-
WHEN renewal_eligibility = 'INELIGIBLE' THEN title || ' not eligible for renewal.'
22-
ELSE title || ' expires ' || TO_CHAR(not_after, 'DD-Mon-YYYY') ||
23-
' (' || EXTRACT(DAY FROM not_after - current_date) || ' days).'
24-
END AS reason,
25-
region,
26-
account_id
27-
FROM
28-
aws_acm_certificate;
9+
language: sql
10+
primary_resource: aws_acm_certificate
11+
definition: |
12+
SELECT
13+
certificate_arn AS resource,
14+
platform_integration_id AS platform_integration_id,
15+
platform_resource_id AS platform_resource_id,
16+
CASE
17+
WHEN renewal_eligibility = 'INELIGIBLE' THEN 'skip'
18+
WHEN DATE(not_after) - DATE(current_date) >= 30 THEN 'ok'
19+
ELSE 'alarm'
20+
END AS status,
21+
CASE
22+
WHEN renewal_eligibility = 'INELIGIBLE' THEN title || ' not eligible for renewal.'
23+
ELSE title || ' expires ' || TO_CHAR(not_after, 'DD-Mon-YYYY') ||
24+
' (' || EXTRACT(DAY FROM not_after - current_date) || ' days).'
25+
END AS reason,
26+
region,
27+
account_id
28+
FROM
29+
aws_acm_certificate;
2930
severity: high
3031
tags:
31-
category:
32-
- Compliance
33-
cisa_cyber_essentials:
34-
- 'true'
35-
fedramp_low_rev_4:
36-
- 'true'
37-
fedramp_moderate_rev_4:
38-
- 'true'
39-
ffiec:
40-
- 'true'
41-
gdpr:
42-
- 'true'
43-
hipaa_final_omnibus_security_rule_2013:
44-
- 'true'
45-
hipaa_security_rule_2003:
46-
- 'true'
47-
nist_800_53_rev_4:
48-
- 'true'
49-
nist_800_53_rev_5:
50-
- 'true'
51-
nist_800_171_rev_2:
52-
- 'true'
53-
nist_csf:
54-
- 'true'
55-
pci_dss_v321:
56-
- 'true'
57-
plugin:
58-
- aws
59-
rbi_cyber_security:
60-
- 'true'
61-
service:
62-
- AWS/ACM
63-
soc_2:
64-
- 'true'
32+
category:
33+
- Compliance
34+
cisa_cyber_essentials:
35+
- "true"
36+
fedramp_low_rev_4:
37+
- "true"
38+
fedramp_moderate_rev_4:
39+
- "true"
40+
ffiec:
41+
- "true"
42+
gdpr:
43+
- "true"
44+
hipaa_final_omnibus_security_rule_2013:
45+
- "true"
46+
hipaa_security_rule_2003:
47+
- "true"
48+
nist_800_171_rev_2:
49+
- "true"
50+
nist_800_53_rev_4:
51+
- "true"
52+
nist_800_53_rev_5:
53+
- "true"
54+
nist_csf:
55+
- "true"
56+
pci_dss_v321:
57+
- "true"
58+
plugin:
59+
- aws
60+
rbi_cyber_security:
61+
- "true"
62+
service:
63+
- AWS/ACM
64+
soc_2:
65+
- "true"

compliance/controls/aws/aws_acm_certificate_no_failed_certificate.yaml

Lines changed: 16 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1,23 +1,24 @@
11
id: aws_acm_certificate_no_failed_certificate
22
title: Ensure that ACM certificates are not in failed state
3+
type: control
34
description: This control ensures that ACM certificates are not in failed state.
45
integration_type:
5-
- aws_cloud_account
6+
- aws_cloud_account
67
parameters: []
78
policy:
8-
language: sql
9-
primary_resource: aws_acm_certificate
10-
definition: |
11-
SELECT
12-
certificate_arn AS resource,
13-
platform_integration_id AS platform_integration_id,
14-
platform_resource_id AS platform_resource_id,
15-
CASE
16-
WHEN status IN ('VALIDATION_TIMED_OUT', 'FAILED') THEN 'alarm'
17-
ELSE 'ok'
18-
END AS status,
19-
title || ' status is ' || status || '.' AS reason
20-
FROM
21-
aws_acm_certificate;
9+
language: sql
10+
primary_resource: aws_acm_certificate
11+
definition: |
12+
SELECT
13+
certificate_arn AS resource,
14+
platform_integration_id AS platform_integration_id,
15+
platform_resource_id AS platform_resource_id,
16+
CASE
17+
WHEN status IN ('VALIDATION_TIMED_OUT', 'FAILED') THEN 'alarm'
18+
ELSE 'ok'
19+
END AS status,
20+
title || ' status is ' || status || '.' AS reason
21+
FROM
22+
aws_acm_certificate;
2223
severity: low
2324
tags: {}

compliance/controls/aws/aws_acm_certificate_no_pending_validation_certificate.yaml

Lines changed: 16 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1,23 +1,24 @@
11
id: aws_acm_certificate_no_pending_validation_certificate
22
title: Ensure that ACM certificates are not in pending validation state
3+
type: control
34
description: This control ensures that ACM certificates are not in pending validation state. When certificates are not validated within 72 hours after the request is made, those certificates become invalid.
45
integration_type:
5-
- aws_cloud_account
6+
- aws_cloud_account
67
parameters: []
78
policy:
8-
language: sql
9-
primary_resource: aws_acm_certificate
10-
definition: |
11-
SELECT
12-
certificate_arn AS resource,
13-
platform_integration_id AS platform_integration_id,
14-
platform_resource_id AS platform_resource_id,
15-
CASE
16-
WHEN status = 'PENDING_VALIDATION' THEN 'info'
17-
ELSE 'ok'
18-
END AS status,
19-
title || ' status is ' || status || '.' AS reason
20-
FROM
21-
aws_acm_certificate;
9+
language: sql
10+
primary_resource: aws_acm_certificate
11+
definition: |
12+
SELECT
13+
certificate_arn AS resource,
14+
platform_integration_id AS platform_integration_id,
15+
platform_resource_id AS platform_resource_id,
16+
CASE
17+
WHEN status = 'PENDING_VALIDATION' THEN 'info'
18+
ELSE 'ok'
19+
END AS status,
20+
title || ' status is ' || status || '.' AS reason
21+
FROM
22+
aws_acm_certificate;
2223
severity: low
2324
tags: {}

0 commit comments

Comments
 (0)