Fix framework structure

compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight.yaml

@@ -0,0 +1,15 @@
+framework:
+  id: aws_acsc_essential_eight
+  title: Australian Cyber Security Center (ACSC) Essential Eight
+  description: The Australian Cyber Security Center (ACSC) Essential Eight is a set of baseline security strategies designed to mitigate cyber security incidents. The Essential Eight is a prioritized list of mitigation strategies that organizations can implement to protect their systems against a range of adversaries. The Essential Eight is based on the Australian Signals Directorate (ASD) Strategies to Mitigate Cyber Security Incidents.
+  section-code: aws_acsc_essential_eight
+  metadata:
+    defaults:
+      auto-assign: false
+      enabled: false
+      tracks-drift-events: false
+    tags: {}
+  control-group:
+  - id: aws_acsc_essential_eight_ml_1
+  - id: aws_acsc_essential_eight_ml_2
+  - id: aws_acsc_essential_eight_ml_3

compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1.yaml

@@ -1,12 +1,17 @@
-ID: aws_acsc_essential_eight_ml_1
-Title: ACSC Essential Eight Maturity Level 1
-Description: The availability category refers to the accessibility of information used by the entity’s systems, as well as the products or services provided to its customers.
-SectionCode: ml_1
-Children:
-    - aws_acsc_essential_eight_ml_1_2
-    - aws_acsc_essential_eight_ml_1_5
-    - aws_acsc_essential_eight_ml_1_6
-    - aws_acsc_essential_eight_ml_1_7
-    - aws_acsc_essential_eight_ml_1_8
-Controls: []
-Tags: {}
+control-group:
+  id: aws_acsc_essential_eight_ml_1
+  title: ACSC Essential Eight Maturity Level 1
+  description: The availability category refers to the accessibility of information used by the entity’s systems, as well as the products or services provided to its customers.
+  section-code: ml_1
+  metadata:
+    defaults:
+      auto-assign: null
+      enabled: false
+      tracks-drift-events: false
+    tags: {}
+  control-group:
+  - id: aws_acsc_essential_eight_ml_1_2
+  - id: aws_acsc_essential_eight_ml_1_5
+  - id: aws_acsc_essential_eight_ml_1_6
+  - id: aws_acsc_essential_eight_ml_1_7
+  - id: aws_acsc_essential_eight_ml_1_8

compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_2.yaml

@@ -1,8 +1,13 @@
-ID: aws_acsc_essential_eight_ml_1_2
-Title: 'ACSC-EE-ML1-2: Patch applications ML1'
-Description: A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities.
-SectionCode: "2"
-Children:
-    - aws_acsc_essential_eight_ml_1_2_5
-Controls: []
-Tags: {}
+control-group:
+  id: aws_acsc_essential_eight_ml_1_2
+  title: "ACSC-EE-ML1-2: Patch applications ML1"
+  description: A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities.
+  section-code: "2"
+  metadata:
+    defaults:
+      auto-assign: null
+      enabled: false
+      tracks-drift-events: false
+    tags: {}
+  control-group:
+  - id: aws_acsc_essential_eight_ml_1_2_5

compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_2_5.yaml

@@ -1,16 +1,21 @@
-ID: aws_acsc_essential_eight_ml_1_2_5
-Title: 'ACSC-EE-ML1-2.5: Patch applications ML1'
-Description: Patches, updates or vendor mitigations for security vulnerabilities in internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists.
-SectionCode: "5"
-Children: []
-Controls:
-    - aws_ecs_service_fargate_using_latest_platform_version
-    - aws_eks_cluster_with_latest_kubernetes_version
-    - aws_elastic_beanstalk_environment_managed_updates_enabled
-    - aws_elasticache_cluster_auto_minor_version_upgrade_enabled
-    - aws_lambda_function_use_latest_runtime
-    - aws_opensearch_domain_updated_with_latest_service_software_version
-    - aws_rds_db_instance_automatic_minor_version_upgrade_enabled
-    - aws_redshift_cluster_maintenance_settings_check
-    - aws_ssm_managed_instance_compliance_patch_compliant
-Tags: {}
+control-group:
+  id: aws_acsc_essential_eight_ml_1_2_5
+  title: "ACSC-EE-ML1-2.5: Patch applications ML1"
+  description: Patches, updates or vendor mitigations for security vulnerabilities in internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists.
+  section-code: "5"
+  metadata:
+    defaults:
+      auto-assign: null
+      enabled: false
+      tracks-drift-events: false
+    tags: {}
+  controls:
+  - aws_ecs_service_fargate_using_latest_platform_version
+  - aws_eks_cluster_with_latest_kubernetes_version
+  - aws_elastic_beanstalk_environment_managed_updates_enabled
+  - aws_elasticache_cluster_auto_minor_version_upgrade_enabled
+  - aws_lambda_function_use_latest_runtime
+  - aws_opensearch_domain_updated_with_latest_service_software_version
+  - aws_rds_db_instance_automatic_minor_version_upgrade_enabled
+  - aws_redshift_cluster_maintenance_settings_check
+  - aws_ssm_managed_instance_compliance_patch_compliant

compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5.yaml

@@ -1,11 +1,16 @@
-ID: aws_acsc_essential_eight_ml_1_5
-Title: 'ACSC-EE-ML1-5: Restrict administrative privileges ML1'
-Description: The restriction of administrative privileges is the practice of limiting the number of privileged accounts and the extent of their access to systems and data.
-SectionCode: "5"
-Children:
-    - aws_acsc_essential_eight_ml_1_5_2
-    - aws_acsc_essential_eight_ml_1_5_3
-    - aws_acsc_essential_eight_ml_1_5_4
-    - aws_acsc_essential_eight_ml_1_5_5
-Controls: []
-Tags: {}
+control-group:
+  id: aws_acsc_essential_eight_ml_1_5
+  title: "ACSC-EE-ML1-5: Restrict administrative privileges ML1"
+  description: The restriction of administrative privileges is the practice of limiting the number of privileged accounts and the extent of their access to systems and data.
+  section-code: "5"
+  metadata:
+    defaults:
+      auto-assign: null
+      enabled: false
+      tracks-drift-events: false
+    tags: {}
+  control-group:
+  - id: aws_acsc_essential_eight_ml_1_5_2
+  - id: aws_acsc_essential_eight_ml_1_5_3
+  - id: aws_acsc_essential_eight_ml_1_5_4
+  - id: aws_acsc_essential_eight_ml_1_5_5

compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5_2.yaml

@@ -1,16 +1,21 @@
-ID: aws_acsc_essential_eight_ml_1_5_2
-Title: 'ACSC-EE-ML1-5.2: Restrict administrative privileges ML1'
-Description: Privileged accounts (excluding privileged service accounts) are prevented from accessing the internet, email and web services.
-SectionCode: "2"
-Children: []
-Controls:
-    - aws_codebuild_project_environment_privileged_mode_disabled
-    - aws_ecs_task_definition_container_non_privileged
-    - aws_ecs_task_definition_no_root_user
-    - aws_eventbridge_custom_bus_resource_based_policy_attached
-    - aws_iam_policy_custom_no_blocked_kms_actions
-    - aws_iam_policy_inline_no_blocked_kms_actions
-    - aws_iam_policy_no_star_star
-    - aws_iam_root_user_no_access_keys
-    - aws_sagemaker_notebook_instance_root_access_disabled
-Tags: {}
+control-group:
+  id: aws_acsc_essential_eight_ml_1_5_2
+  title: "ACSC-EE-ML1-5.2: Restrict administrative privileges ML1"
+  description: Privileged accounts (excluding privileged service accounts) are prevented from accessing the internet, email and web services.
+  section-code: "2"
+  metadata:
+    defaults:
+      auto-assign: null
+      enabled: false
+      tracks-drift-events: false
+    tags: {}
+  controls:
+  - aws_codebuild_project_environment_privileged_mode_disabled
+  - aws_ecs_task_definition_container_non_privileged
+  - aws_ecs_task_definition_no_root_user
+  - aws_eventbridge_custom_bus_resource_based_policy_attached
+  - aws_iam_policy_custom_no_blocked_kms_actions
+  - aws_iam_policy_inline_no_blocked_kms_actions
+  - aws_iam_policy_no_star_star
+  - aws_iam_root_user_no_access_keys
+  - aws_sagemaker_notebook_instance_root_access_disabled

compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5_3.yaml

@@ -1,15 +1,20 @@
-ID: aws_acsc_essential_eight_ml_1_5_3
-Title: 'ACSC-EE-ML1-5.3: Restrict administrative privileges ML1'
-Description: Privileged users use separate privileged and unprivileged operating environments.
-SectionCode: "3"
-Children: []
-Controls:
-    - aws_codebuild_project_environment_privileged_mode_disabled
-    - aws_codebuild_project_source_repo_oauth_configured
-    - aws_ecs_task_definition_container_non_privileged
-    - aws_ecs_task_definition_no_root_user
-    - aws_eventbridge_custom_bus_resource_based_policy_attached
-    - aws_iam_root_user_no_access_keys
-    - aws_sagemaker_notebook_instance_root_access_disabled
-    - aws_ssm_managed_instance_compliance_association_compliant
-Tags: {}
+control-group:
+  id: aws_acsc_essential_eight_ml_1_5_3
+  title: "ACSC-EE-ML1-5.3: Restrict administrative privileges ML1"
+  description: Privileged users use separate privileged and unprivileged operating environments.
+  section-code: "3"
+  metadata:
+    defaults:
+      auto-assign: null
+      enabled: false
+      tracks-drift-events: false
+    tags: {}
+  controls:
+  - aws_codebuild_project_environment_privileged_mode_disabled
+  - aws_codebuild_project_source_repo_oauth_configured
+  - aws_ecs_task_definition_container_non_privileged
+  - aws_ecs_task_definition_no_root_user
+  - aws_eventbridge_custom_bus_resource_based_policy_attached
+  - aws_iam_root_user_no_access_keys
+  - aws_sagemaker_notebook_instance_root_access_disabled
+  - aws_ssm_managed_instance_compliance_association_compliant

compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5_4.yaml

@@ -1,12 +1,17 @@
-ID: aws_acsc_essential_eight_ml_1_5_4
-Title: 'ACSC-EE-ML1-5.4: Restrict administrative privileges ML1'
-Description: Unprivileged accounts cannot logon to privileged operating environments.
-SectionCode: "4"
-Children: []
-Controls:
-    - aws_codebuild_project_source_repo_oauth_configured
-    - aws_ec2_instance_iam_profile_attached
-    - aws_eventbridge_custom_bus_resource_based_policy_attached
-    - aws_ssm_managed_instance_compliance_association_compliant
-    - aws_vpc_security_group_restrict_ingress_ssh_all
-Tags: {}
+control-group:
+  id: aws_acsc_essential_eight_ml_1_5_4
+  title: "ACSC-EE-ML1-5.4: Restrict administrative privileges ML1"
+  description: Unprivileged accounts cannot logon to privileged operating environments.
+  section-code: "4"
+  metadata:
+    defaults:
+      auto-assign: null
+      enabled: false
+      tracks-drift-events: false
+    tags: {}
+  controls:
+  - aws_codebuild_project_source_repo_oauth_configured
+  - aws_ec2_instance_iam_profile_attached
+  - aws_eventbridge_custom_bus_resource_based_policy_attached
+  - aws_ssm_managed_instance_compliance_association_compliant
+  - aws_vpc_security_group_restrict_ingress_ssh_all

compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5_5.yaml

@@ -1,17 +1,22 @@
-ID: aws_acsc_essential_eight_ml_1_5_5
-Title: 'ACSC-EE-ML1-5.5: Restrict administrative privileges ML1'
-Description: Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments.
-SectionCode: "5"
-Children: []
-Controls:
-    - aws_codebuild_project_environment_privileged_mode_disabled
-    - aws_codebuild_project_source_repo_oauth_configured
-    - aws_ecs_task_definition_container_non_privileged
-    - aws_ecs_task_definition_no_root_user
-    - aws_iam_policy_custom_no_blocked_kms_actions
-    - aws_iam_policy_inline_no_blocked_kms_actions
-    - aws_iam_policy_no_star_star
-    - aws_iam_root_user_no_access_keys
-    - aws_sagemaker_notebook_instance_root_access_disabled
-    - aws_vpc_security_group_restrict_ingress_ssh_all
-Tags: {}
+control-group:
+  id: aws_acsc_essential_eight_ml_1_5_5
+  title: "ACSC-EE-ML1-5.5: Restrict administrative privileges ML1"
+  description: Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments.
+  section-code: "5"
+  metadata:
+    defaults:
+      auto-assign: null
+      enabled: false
+      tracks-drift-events: false
+    tags: {}
+  controls:
+  - aws_codebuild_project_environment_privileged_mode_disabled
+  - aws_codebuild_project_source_repo_oauth_configured
+  - aws_ecs_task_definition_container_non_privileged
+  - aws_ecs_task_definition_no_root_user
+  - aws_iam_policy_custom_no_blocked_kms_actions
+  - aws_iam_policy_inline_no_blocked_kms_actions
+  - aws_iam_policy_no_star_star
+  - aws_iam_root_user_no_access_keys
+  - aws_sagemaker_notebook_instance_root_access_disabled
+  - aws_vpc_security_group_restrict_ingress_ssh_all

compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6.yaml

@@ -1,13 +1,18 @@
-ID: aws_acsc_essential_eight_ml_1_6
-Title: 'ACSC-EE-ML1-6: Patch operating systems ML1'
-Description: The patching of operating systems is the practice of applying patches, updates or vendor mitigations to security vulnerabilities in operating systems.
-SectionCode: "6"
-Children:
-    - aws_acsc_essential_eight_ml_1_6_2
-    - aws_acsc_essential_eight_ml_1_6_3
-    - aws_acsc_essential_eight_ml_1_6_4
-    - aws_acsc_essential_eight_ml_1_6_5
-    - aws_acsc_essential_eight_ml_1_6_6
-    - aws_acsc_essential_eight_ml_1_6_7
-Controls: []
-Tags: {}
+control-group:
+  id: aws_acsc_essential_eight_ml_1_6
+  title: "ACSC-EE-ML1-6: Patch operating systems ML1"
+  description: The patching of operating systems is the practice of applying patches, updates or vendor mitigations to security vulnerabilities in operating systems.
+  section-code: "6"
+  metadata:
+    defaults:
+      auto-assign: null
+      enabled: false
+      tracks-drift-events: false
+    tags: {}
+  control-group:
+  - id: aws_acsc_essential_eight_ml_1_6_2
+  - id: aws_acsc_essential_eight_ml_1_6_3
+  - id: aws_acsc_essential_eight_ml_1_6_4
+  - id: aws_acsc_essential_eight_ml_1_6_5
+  - id: aws_acsc_essential_eight_ml_1_6_6
+  - id: aws_acsc_essential_eight_ml_1_6_7

compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_2.yaml

@@ -1,9 +1,14 @@
-ID: aws_acsc_essential_eight_ml_1_6_2
-Title: 'ACSC-EE-ML1-6.2: Patch operating systems ML1'
-Description: A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities.
-SectionCode: "2"
-Children: []
-Controls:
-    - aws_1test
-    - aws_ecr_repository_image_scan_on_push_enabled
-Tags: {}
+control-group:
+  id: aws_acsc_essential_eight_ml_1_6_2
+  title: "ACSC-EE-ML1-6.2: Patch operating systems ML1"
+  description: A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities.
+  section-code: "2"
+  metadata:
+    defaults:
+      auto-assign: null
+      enabled: false
+      tracks-drift-events: false
+    tags: {}
+  controls:
+  - aws_1test
+  - aws_ecr_repository_image_scan_on_push_enabled

compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_3.yaml

@@ -1,8 +1,13 @@
-ID: aws_acsc_essential_eight_ml_1_6_3
-Title: 'ACSC-EE-ML1-6.3: Patch operating systems ML1'
-Description: A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in operating systems of internet-facing services.
-SectionCode: "3"
-Children: []
-Controls:
-    - aws_ecr_repository_image_scan_on_push_enabled
-Tags: {}
+control-group:
+  id: aws_acsc_essential_eight_ml_1_6_3
+  title: "ACSC-EE-ML1-6.3: Patch operating systems ML1"
+  description: A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in operating systems of internet-facing services.
+  section-code: "3"
+  metadata:
+    defaults:
+      auto-assign: null
+      enabled: false
+      tracks-drift-events: false
+    tags: {}
+  controls:
+  - aws_ecr_repository_image_scan_on_push_enabled

compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_4.yaml

@@ -1,8 +1,13 @@
-ID: aws_acsc_essential_eight_ml_1_6_4
-Title: 'ACSC-EE-ML1-6.4: Patch operating systems ML1'
-Description: A vulnerability scanner is used at least fortnightly to identify missing patches or updates for security vulnerabilities in operating systems of workstations, servers and network devices.
-SectionCode: "4"
-Children: []
-Controls:
-    - aws_ecr_repository_image_scan_on_push_enabled
-Tags: {}
+control-group:
+  id: aws_acsc_essential_eight_ml_1_6_4
+  title: "ACSC-EE-ML1-6.4: Patch operating systems ML1"
+  description: A vulnerability scanner is used at least fortnightly to identify missing patches or updates for security vulnerabilities in operating systems of workstations, servers and network devices.
+  section-code: "4"
+  metadata:
+    defaults:
+      auto-assign: null
+      enabled: false
+      tracks-drift-events: false
+    tags: {}
+  controls:
+  - aws_ecr_repository_image_scan_on_push_enabled