Skip to content

updating readme #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 13, 2024
Merged

updating readme #2

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
256 changes: 1 addition & 255 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,256 +1,2 @@
# Managed Config
This repository contains the defaul configuration files for Kaytu.
You can customizee by forking this repository and changing the files.

Here is the repository structure:


* [analytics](#assets): contains all the analytics
* [queries](#finder): defines the default queries that are suggested to users in query page
* [compliance](#compliance): contains all the compliance benchmarks and controls


## Analytics
### How to define:
All the files with `yaml` extension in analytics will be considered.

ID of each metric will be the file name so be careful of changing them as you will lose the historical data.
Each metric must contain these fields:
- connectors: `array[connector]` (connector: `AWS` or `Azure`)
- name: `string`
- query: `string`
- status: `string` (active or inactive)
- tags: `map[string][]string`
#### query
`query` should be grouped by `connection_id` and `region` and must select both of them along with the metric value with the name `count`.
we recommend using `kaytu_lookup` table to define the query. `kaytu_lookup` is a table that contains some bare information about all the resources in the system.
If you need more specific information about the resources, use the resource specific tables like `aws_ec2_instance` or `aws_s3_bucket`.

<details>
<summary><b>Example</b></summary>

```yaml
connectors:
- AWS
name: ACM Public Certificate (SSL/TLS)
query: select connection_id, region, count(*) from kaytu_lookup where resource_type = 'aws::certificatemanager::certificate' group by 1,2;
status: inactive
tags:
category:
- Security
```
</details>

#### tags
`tags` is a map of string to array of strings. Some keys like `category` are used to group the metrics in the UI.

#### query
`query` should be grouped by `kaytu_account_id` and `date` and must select both of them along with the metric value with the name `sum`.
The tables that contain cost data are `aws_cost_by_service_daily` and `azure_costmanagement_costbyresourcetype` for AWS and Azure respectively.

<details>
<summary><b>Example</b></summary>

```yaml
connectors:
- AWS
name: Amazon Elastic Compute Cloud - Compute
query: SELECT kaytu_account_id, period_start::date::text as date, sum(amortized_cost_amount) FROM aws_cost_by_service_daily WHERE service = 'Amazon Elastic Compute Cloud - Compute' group by 1,2;
status: active
tables:
- Amazon Elastic Compute Cloud - Compute
tags:
category:
- Compute
```
</details>

#### tables
`tables` is an array of strings that contains the names of the sub-table
(refer to where clause in the example) that contains the cost data.
#### tags
`tags` is a map of string to array of strings.
Some keys like `category` are used to group the metrics in the UI.

## Asset Finder
### How to define:
All the files with `yaml` extension in finder will be considered `Finder Queries`.
The ones in the `popular` folder will be shown in popular tab and the ones
in the `other` folder will be shown in other tab.

Each query must contain these fields:
- connectors: `array[connector]` (connector: `AWS` or `Azure`)
- query: `string`
- title: `string`

#### query
`query` is the SQL query against the Kaytu query engine, there are no limitations on this query.

<details>
<summary><b>Example</b></summary>

```yaml
connectors:
- AWS
- Azure
query: |-
select
case
when resource_type like 'aws::%' then 'AWS'
else 'Azure'
end as provider,
c.name as cloud_account_name,
c.id as _discovered_provider_id,
r.name as name,
r.region as location,
r.connection_id as _kaytu_connection_id,
r.resource_id as _resource_id,
r.resource_type as _resource_type,
r.created_at as _last_discovered
from
kaytu_resources r inner join kaytu_connections c on r.connection_id = c.kaytu_id
where
resource_type IN ('aws::ec2::vpc', 'microsoft.network/virtualnetworks')
title: Cloud Networks
```
</details>


## Compliance
Compliance consists of two parts: `benchmarks` and `controls`.
### How to define controls:
All the files with `yaml` extension in `compliance/controls` directory will be considered a `control`.
Each control must contain these fields:
- Description: `string`
- ID: `string` (must be unique across all the controls)
- Managed: `boolean`
- Query:
- Connector: `connector` (connector: `AWS` or `Azure`)
- Engine: `string` - the query engine that is used to run the query, currently only `odysseus-v0.0.1` is supported
- ListOfTables: `array[string]` - list of tables that are used in the query
- PrimaryTable: `string` - the table that the result of the query is from
- QueryToExecute: `string` - the query itself, no limitations
- Severity: `string` - the severity of the control one of `none`, `low`, `medium`, `high`, `critical`
- Tags: `map[string][]string`

<details>
<summary><b>Example</b></summary>

```yaml
Description: Ensure if an Amazon API Gateway API stage is using a WAF Web ACL. This rule is non compliant if an AWS WAF Web ACL is not used.
ID: aws_apigateway_stage_use_waf_web_acl
Query:
Connector: AWS
Engine: odysseus-v0.0.1
ListOfTables:
- aws_api_gateway_stage
PrimaryTable: aws_api_gateway_stage
QueryToExecute: |
select
arn as resource,
kaytu_account_id as kaytu_account_id,
kaytu_resource_id as kaytu_resource_id,
case
when web_acl_arn is not null then 'ok'
else 'alarm'
end as status,
case
when web_acl_arn is not null then title || ' associated with WAF web ACL.'
else title || ' not associated with WAF web ACL.'
end as reason

, region, account_id
from
aws_api_gateway_stage;
Severity: ""
Tags:
category:
- Compliance
cis_controls_v8_ig1:
- "true"
cisa_cyber_essentials:
- "true"
fedramp_low_rev_4:
- "true"
fedramp_moderate_rev_4:
- "true"
ffiec:
- "true"
nist_800_171_rev_2:
- "true"
nist_800_53_rev_5:
- "true"
nist_csf:
- "true"
pci_dss_v321:
- "true"
plugin:
- aws
rbi_cyber_security:
- "true"
service:
- AWS/APIGateway
Title: API Gateway stage should be associated with waf
```
</details>

### How to define benchmarks:
All the files with `yaml` extension in `compliance/benchmarks` directory will be considered a `benchmark`.
One thing to note here is that benchmarks can be nested into each other, with
root benchmarks being the ones that are not nested into any other benchmark
and the ones that we do assignments on, it is recommended to follow the directory structure
provided in this repository and mark root benchmarks with `root` in their name.

Each benchmark must contain these fields:
- AutoAssign: `boolean` - only applicable for root benchmarks, whether to assign the benchmark to all the accounts by default or not
- Baseline: `boolean` - only applicable for root benchmarks, whether to assign the benchmark to all the accounts by default or not
- Children: `array[string]` - list of child benchmarks, note that child benchmarks also can have children and the children must be defined in a `children.yaml` file
- Connector: `connector` (connector: `AWS` or `Azure`)
- Controls: `array[string]` - list of controls that are part of this benchmark, note that controls can be part of multiple benchmarks and they must be defined in `compliance/controls` directory
- Description: `string`
- Enabled: `boolean`
- ID: `string` (must be unique across all the benchmarks)
- Managed: `boolean`
- Tags: `map[string][]string`
- Title: `string`

<details>
<summary><b>Example</b></summary>

```yaml
ID: aws_cis_v200_3
Title: 3 Logging
DisplayCode: ""
Connector: AWS
Description: ""
Children: []
Tags:
category:
- Compliance
cis:
- "true"
cis_section_id:
- "3"
cis_version:
- v2.0.0
plugin:
- aws
service:
- AWS
type:
- Benchmark
Enabled: true
Controls:
- aws_cloudtrail_multi_region_read_write_enabled
- aws_cloudtrail_trail_validation_enabled
- aws_cloudtrail_bucket_not_public
- aws_cloudtrail_trail_integrated_with_logs
- aws_config_enabled_all_regions
- aws_cloudtrail_s3_logging_enabled
- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk
- aws_kms_cmk_rotation_enabled
- aws_vpc_flow_logs_enabled
- aws_cloudtrail_s3_object_write_events_audit_enabled
- aws_cloudtrail_s3_object_read_events_audit_enabled
```
</details>
This repository contains the defaul configuration files for OpenGovernance.
Loading