opengovern
diff --git a/‎compliance/controls/aws/aws_account_alternate_contact_security_registered.yaml‎
Lines changed: 56 additions & 59 deletions b/‎compliance/controls/aws/aws_account_alternate_contact_security_registered.yaml‎
Lines changed: 56 additions & 59 deletions
diff --git a/‎compliance/controls/aws/aws_account_part_of_organizations.yaml‎
Lines changed: 41 additions & 43 deletions b/‎compliance/controls/aws/aws_account_part_of_organizations.yaml‎
Lines changed: 41 additions & 43 deletions
diff --git a/‎compliance/controls/aws/aws_acm_certificate_expires_30_days.yaml‎
Lines changed: 63 additions & 65 deletions b/‎compliance/controls/aws/aws_acm_certificate_expires_30_days.yaml‎
Lines changed: 63 additions & 65 deletions
diff --git a/‎compliance/controls/aws/aws_acm_certificate_no_failed_certificate.yaml‎
Lines changed: 22 additions & 24 deletions b/‎compliance/controls/aws/aws_acm_certificate_no_failed_certificate.yaml‎
Lines changed: 22 additions & 24 deletions
@@ -1,60 +1,57 @@
-Description: This control checks if an AWS Web Services (AWS) account has security contact information. The control fails if security contact information is not provided for the account.
-ID: aws_account_alternate_contact_security_registered
-IntegrationType:
+id: aws_account_alternate_contact_security_registered
+title: Security contact information should be provided for an AWS account
+description: This control checks if an AWS Web Services (AWS) account has security contact information. The control fails if security contact information is not provided for the account.
+integration_type:
   - aws_cloud_account
-Query:
-  Engine: CloudQL-v0.0.1
-  ListOfTables:
-    - aws_account
-    - aws_account_alternate_contact
-  Parameters: []
-  PrimaryTable: aws_account
-  QueryToExecute: |
-    WITH alternate_security_contact AS (
-      SELECT
-        name,
-        account_id
-      FROM
-        aws_account_alternate_contact
-      WHERE
-        contact_type = 'SECURITY'
-    )
-    SELECT
-      arn AS resource,
-      platform_integration_id AS platform_integration_id,
-      platform_resource_id AS platform_resource_id,
-      CASE
-        WHEN a.partition = 'aws-us-gov' THEN 'info'
-        WHEN c.name IS NOT NULL THEN 'ok'
-        ELSE 'alarm'
-      END AS status,
-      CASE
-        WHEN a.partition = 'aws-us-gov' THEN a.title || ' in GovCloud, manual verification required.'
-        WHEN c.name IS NOT NULL THEN a.title || ' has security contact ' || c.name || ' registered.'
-        ELSE a.title || ' security contact not registered.'
-      END AS reason,
-      a.account_id
-    FROM
-      aws_account AS a
-    LEFT JOIN alternate_security_contact AS c ON c.account_id = a.account_id;
-Severity: low
-Tags:
-  category:
-    - Compliance
-  cis:
-    - "true"
-  cis_item_id:
-    - "1.18"
-  cis_level:
-    - "1"
-  cis_section_id:
-    - "1"
-  cis_type:
-    - not_scored
-  cis_version:
-    - v1.2.0
-  plugin:
-    - aws
-  service:
-    - AWS/IAM
-Title: Security contact information should be provided for an AWS account
+parameters: []
+policy:
+    language: sql
+    primary_resource: aws_account
+    definition: |
+        WITH alternate_security_contact AS (
+          SELECT
+            name,
+            account_id
+          FROM
+            aws_account_alternate_contact
+          WHERE
+            contact_type = 'SECURITY'
+        )
+        SELECT
+          arn AS resource,
+          platform_integration_id AS platform_integration_id,
+          platform_resource_id AS platform_resource_id,
+          CASE
+            WHEN a.partition = 'aws-us-gov' THEN 'info'
+            WHEN c.name IS NOT NULL THEN 'ok'
+            ELSE 'alarm'
+          END AS status,
+          CASE
+            WHEN a.partition = 'aws-us-gov' THEN a.title || ' in GovCloud, manual verification required.'
+            WHEN c.name IS NOT NULL THEN a.title || ' has security contact ' || c.name || ' registered.'
+            ELSE a.title || ' security contact not registered.'
+          END AS reason,
+          a.account_id
+        FROM
+          aws_account AS a
+        LEFT JOIN alternate_security_contact AS c ON c.account_id = a.account_id;
+severity: low
+tags:
+    category:
+      - Compliance
+    cis:
+      - 'true'
+    cis_item_id:
+      - '1.18'
+    cis_level:
+      - '1'
+    cis_section_id:
+      - '1'
+    cis_type:
+      - not_scored
+    cis_version:
+      - v1.2.0
+    plugin:
+      - aws
+    service:
+      - AWS/IAM
@@ -1,44 +1,42 @@
-Description: Ensure that an AWS account is part of AWS Organizations. The rule is non-compliant if an AWS account is not part of AWS Organizations, or AWS Organizations' master account ID does not match rule parameter MasterAccountId.
-ID: aws_account_part_of_organizations
-IntegrationType:
+id: aws_account_part_of_organizations
+title: AWS account should be part of AWS Organizations
+description: Ensure that an AWS account is part of AWS Organizations. The rule is non-compliant if an AWS account is not part of AWS Organizations, or AWS Organizations' master account ID does not match rule parameter MasterAccountId.
+integration_type:
   - aws_cloud_account
-Query:
-  Engine: CloudQL-v0.0.1
-  ListOfTables:
-    - aws_account
-  Parameters: []
-  PrimaryTable: aws_account
-  QueryToExecute: |
-    SELECT
-      arn AS resource,
-      platform_integration_id AS platform_integration_id,
-      platform_resource_id AS platform_resource_id,
-      CASE
-        WHEN organization_id IS NOT NULL THEN 'ok'
-        ELSE 'alarm'
-      END AS status,
-      CASE
-        WHEN organization_id IS NOT NULL THEN title || ' is part of organization(s).'
-        ELSE title || ' is not part of organization.'
-      END AS reason,
-      region,
-      account_id
-    FROM
-      aws_account;
-Severity: medium
-Tags:
-  category:
-    - Compliance
-  cis_controls_v8_ig1:
-    - "true"
-  gxp_21_cfr_part_11:
-    - "true"
-  nist_800_53_rev_5:
-    - "true"
-  nist_csf:
-    - "true"
-  plugin:
-    - aws
-  service:
-    - AWS/IAM
-Title: AWS account should be part of AWS Organizations
+parameters: []
+policy:
+    language: sql
+    primary_resource: aws_account
+    definition: |
+        SELECT
+          arn AS resource,
+          platform_integration_id AS platform_integration_id,
+          platform_resource_id AS platform_resource_id,
+          CASE
+            WHEN organization_id IS NOT NULL THEN 'ok'
+            ELSE 'alarm'
+          END AS status,
+          CASE
+            WHEN organization_id IS NOT NULL THEN title || ' is part of organization(s).'
+            ELSE title || ' is not part of organization.'
+          END AS reason,
+          region,
+          account_id
+        FROM
+          aws_account;
+severity: medium
+tags:
+    category:
+      - Compliance
+    cis_controls_v8_ig1:
+      - 'true'
+    gxp_21_cfr_part_11:
+      - 'true'
+    nist_800_53_rev_5:
+      - 'true'
+    nist_csf:
+      - 'true'
+    plugin:
+      - aws
+    service:
+      - AWS/IAM
@@ -1,66 +1,64 @@
-Description: Ensure network integrity is protected by ensuring X509 certificates are issued by AWS ACM.
-ID: aws_acm_certificate_expires_30_days
-IntegrationType:
+id: aws_acm_certificate_expires_30_days
+title: ACM certificates should not expire within 30 days
+description: Ensure network integrity is protected by ensuring X509 certificates are issued by AWS ACM.
+integration_type:
   - aws_cloud_account
-Query:
-  Engine: CloudQL-v0.0.1
-  ListOfTables:
-    - aws_acm_certificate
-  Parameters: []
-  PrimaryTable: aws_acm_certificate
-  QueryToExecute: |
-    SELECT
-      certificate_arn AS resource,
-      platform_integration_id AS platform_integration_id,
-      platform_resource_id AS platform_resource_id,
-      CASE
-        WHEN renewal_eligibility = 'INELIGIBLE' THEN 'skip'
-        WHEN DATE(not_after) - DATE(current_date) >= 30 THEN 'ok'
-        ELSE 'alarm'
-      END AS status,
-      CASE
-        WHEN renewal_eligibility = 'INELIGIBLE' THEN title || ' not eligible for renewal.'
-        ELSE title || ' expires ' || TO_CHAR(not_after, 'DD-Mon-YYYY') ||
-        ' (' || EXTRACT(DAY FROM not_after - current_date) || ' days).'
-      END AS reason,
-      region,
-      account_id
-    FROM
-      aws_acm_certificate;
-Severity: high
-Tags:
-  category:
-    - Compliance
-  cisa_cyber_essentials:
-    - "true"
-  fedramp_low_rev_4:
-    - "true"
-  fedramp_moderate_rev_4:
-    - "true"
-  ffiec:
-    - "true"
-  gdpr:
-    - "true"
-  hipaa_final_omnibus_security_rule_2013:
-    - "true"
-  hipaa_security_rule_2003:
-    - "true"
-  nist_800_53_rev_4:
-    - "true"
-  nist_800_53_rev_5:
-    - "true"
-  nist_800_171_rev_2:
-    - "true"
-  nist_csf:
-    - "true"
-  pci_dss_v321:
-    - "true"
-  plugin:
-    - aws
-  rbi_cyber_security:
-    - "true"
-  service:
-    - AWS/ACM
-  soc_2:
-    - "true"
-Title: ACM certificates should not expire within 30 days
+parameters: []
+policy:
+    language: sql
+    primary_resource: aws_acm_certificate
+    definition: |
+        SELECT
+          certificate_arn AS resource,
+          platform_integration_id AS platform_integration_id,
+          platform_resource_id AS platform_resource_id,
+          CASE
+            WHEN renewal_eligibility = 'INELIGIBLE' THEN 'skip'
+            WHEN DATE(not_after) - DATE(current_date) >= 30 THEN 'ok'
+            ELSE 'alarm'
+          END AS status,
+          CASE
+            WHEN renewal_eligibility = 'INELIGIBLE' THEN title || ' not eligible for renewal.'
+            ELSE title || ' expires ' || TO_CHAR(not_after, 'DD-Mon-YYYY') ||
+            ' (' || EXTRACT(DAY FROM not_after - current_date) || ' days).'
+          END AS reason,
+          region,
+          account_id
+        FROM
+          aws_acm_certificate;
+severity: high
+tags:
+    category:
+      - Compliance
+    cisa_cyber_essentials:
+      - 'true'
+    fedramp_low_rev_4:
+      - 'true'
+    fedramp_moderate_rev_4:
+      - 'true'
+    ffiec:
+      - 'true'
+    gdpr:
+      - 'true'
+    hipaa_final_omnibus_security_rule_2013:
+      - 'true'
+    hipaa_security_rule_2003:
+      - 'true'
+    nist_800_53_rev_4:
+      - 'true'
+    nist_800_53_rev_5:
+      - 'true'
+    nist_800_171_rev_2:
+      - 'true'
+    nist_csf:
+      - 'true'
+    pci_dss_v321:
+      - 'true'
+    plugin:
+      - aws
+    rbi_cyber_security:
+      - 'true'
+    service:
+      - AWS/ACM
+    soc_2:
+      - 'true'
@@ -1,25 +1,23 @@
-Description: This control ensures that ACM certificates are not in failed state.
-ID: aws_acm_certificate_no_failed_certificate
-IntegrationType:
+id: aws_acm_certificate_no_failed_certificate
+title: Ensure that ACM certificates are not in failed state
+description: This control ensures that ACM certificates are not in failed state.
+integration_type:
   - aws_cloud_account
-Query:
-  Engine: CloudQL-v0.0.1
-  ListOfTables:
-    - aws_acm_certificate
-  Parameters: []
-  PrimaryTable: aws_acm_certificate
-  QueryToExecute: |
-    SELECT
-      certificate_arn AS resource,
-      platform_integration_id AS platform_integration_id,
-      platform_resource_id AS platform_resource_id,
-      CASE
-        WHEN status IN ('VALIDATION_TIMED_OUT', 'FAILED') THEN 'alarm'
-        ELSE 'ok'
-      END AS status,
-      title || ' status is ' || status || '.' AS reason
-    FROM
-      aws_acm_certificate;
-Severity: low
-Tags: {}
-Title: Ensure that ACM certificates are not in failed state
+parameters: []
+policy:
+    language: sql
+    primary_resource: aws_acm_certificate
+    definition: |
+        SELECT
+          certificate_arn AS resource,
+          platform_integration_id AS platform_integration_id,
+          platform_resource_id AS platform_resource_id,
+          CASE
+            WHEN status IN ('VALIDATION_TIMED_OUT', 'FAILED') THEN 'alarm'
+            ELSE 'ok'
+          END AS status,
+          title || ' status is ' || status || '.' AS reason
+        FROM
+          aws_acm_certificate;
+severity: low
+tags: {}